Call recording is a process that is widely used by businesses and organizations across the globe, but the process which companies follow to record calls will change with the introduction of the GDPR on May 25, 2018.
Call recording is widely recognized as a valuable tool and the GDPR will not outlaw it. However, there are regulations that businesses need to be aware of to allow them to continue recording calls.
Non-compliance with GDPR can prove costly, as it can lead to a fine of up to €20 million or 4% of annual turnover, whichever figure is higher. For this reason, companies must examine their current recording procedures and take steps to fix any violations.
Is the Individual Aware they are Being Recorded?
One of the most important considerations regarding compliance with the GDPR is whether an individual is aware they are being recorded. In order to comply with regulations, they need to be aware and to have given their consent for a recording to be made.
As opposed to previous systems which merely informed callers that they may be recorded without allowing any input from the individual, the GDPR states that “silence […] or inactivity should not […] constitute consent”
Users must therefore take an unambiguous affirmative action such as an oral statement to give their consent for the recording. Use of the service cannot be conditional on the user giving consent for data to be recorded unless the data is necessary to render the service.
Is the Recording Stored Securely and Effectively?
GDPR stipulates that personal data needs to be stored and processed in a way which maintains its security and in such a manner that it can be easily accessed if requests are made by the individual, or by relevant third parties. This means that any business which records calls needs to pay attention to the way they are stored and needs to implement a system to quickly retrieve saved data.
As users will have the right to request copies of their data that is held by an organization, the ability to search and copy recorded calls will be necessary. Requests of this type must be responded to within one month.
GDPR and Legitimate Interest
Consent is not the only factor which can authorize recording calls as there may be a valid (legal) reason for recording a phone call due to a different legitimate interest.
The GDPR notes that the right to data privacy is not an absolute right and it must be balanced against the rights and legitimate interests of others. For example, if someone is calling emergency services then the call may be recorded in the interests of safety.
Additionally, the recording of phone calls is obligatory in some business and trading sectors. Therefore, calls in these sectors would not need consent for the call to be recorded, although it is strongly advised that all parties to the call are aware of the recording.
Can the Recording be Deleted if Requested?
One important aspect of the GDPR is the right to be forgotten. This applies when an individual requests that data being held about them be deleted.
If there is no relevant reason for a business or organization to continue processing the information, they need to comply with the request for deletion. This means that businesses must consider ways in which they can identify and delete recorded calls when necessary.