On May 15th 2018, the General Data Protection Regulation becomes law, affecting more or less every single business in the UK. Most businesses are concerned merely with the eye-wateringly high fines that could potentially be applied to businesses who fail to adhere to the new regulation, or at least those who get caught. It seems very few businesses are focusing on the potential benefits that could be gained in adopting a fair and transparent data relationship with their customers.
As regards businesses which record calls, GDPR has either a huge impact or little impact at all on the call recording process. This is largely dictated by whether those businesses are currently recording calls because they have to, or simply because they want to.
Worrying GDPR compliance issues with most business phone systems
The wide-scale availability of low-cost or inclusive call recording capabilities in cloud-hosted telecoms services and on-premises IP-PBX installs means that calls can be recorded for little cost more or less at the click of a button. However, most call recording capabilities built into IP-PBXes and phones provide no encryption capabilities to secure call recordings, and don’t sufficiently control access to recordings. This means they fail to meet the most basic security requirements for current regulation, let alone GDPR; plus the fragmented nature in which notices are played and consent obtained makes auditing compliance impossible.
Most call recording capabilities built into IP-PBXes and phones provide no encryption capabilities to secure call recordings, and don’t sufficiently control access to recordings.
Like most other Hosted PBX platforms, Xewave offers call recording as a simple option that leads to mass adoption. The crucial difference with our solution is that our customers have complete control and visibility over the regulatory compliance of their actions. Later on, I’ll explain why this could mean the difference between being fully compliant and getting a hefty fine.
How does GDPR affect your ability to record calls?
In the UK, the recording of calls is currently governed by the Data Protection Act 1998. And, although it’s not mentioned specifically, the Act covers much of the basis on which the decision to record a call or not should be taken, as well as how the data should be stored. If you already follow the DPA to the letter of the law, then you are already only recording calls when you absolutely must and calls are stored securely with access strictly controlled and audited.
In terms of the handling of data, GDPR merely tightens up the existing DPA requirements and forces businesses to establish a chain of command on data management policy. Specific roles within the organisation will be tasked with ownership of data management policies and training of staff on the need for security and the penalties of not adhering to it.
Where GDPR does get interesting is in the additional rights which must be granted to customers, namely:
- Consent cannot be assumed, individuals must specifically opt-in to having information about them stored and the opt-in must be deliberate and unambiguous.
- An individual has the right to withdraw any previously granted consent at any time.
GDPR will impact the call-recording process significantly. The typical “calls are recorded for training and security purposes” warnings will no longer be sufficient to gain assumed consent to record calls. Additionally, when recording has commenced, should the caller withdraw their consent then the agent receiving the call must somehow be able to stop a previously started recording and ensure the recording does not get stored.
GDPR will impact the call-recording process significantly. The typical 'calls are recorded for training and security purposes' warnings will no longer be sufficient to gain assumed consent to record calls. Click To TweetThings get more confusing when your business is required to record calls for regulatory purposes, as in this case you are required by law to record calls. However, the recording contains personal data which in theory all parties must consent to. In these cases, any regulatory requirements trump those rights of the individual and therefore the call should be recorded. The problem here is that only relevant calls should be recorded, meaning that any enquiries which don’t meet the regulatory requirements for call recording cannot be stored if the individual has not opted in to having their data stored. This causes a major headache, as call recordings are not particularly indexable. Plus, gaining consent from the caller at the start of a call in the context of a discussion which is yet to happen isn’t easily done.
There are countless online articles citing the following justifications for call recording:
- The people involved in the call have given consent to be recorded.
- Recording is necessary in order to fulfill a contract.
- Recording is necessary for compliance with a legal obligation.
- Recording is necessary to protect the vital interests of a data subject or another person.
- Recording is in the public interest, or necessary for the exercise of official authority.
- Recording is in the legitimate interests of the recorder, unless those interests are overidden by the interests of the participants in the call.
Point 6 is so subjective and vague that any justification focusing on this reason is in very rough waters. So the remaining options can be boiled down to either of the following:
- Your industry requires you to record calls (e.g. financial services).
- You have obtained the specific consent of the caller to have their call recorded.
In terms of options 2-5, the issue is that while you may have commenced call recording based on the justification that a contract may be drawn up over the phone or some financial advice may be given, if none of this happens and the caller has not consented to call recording then you have no justification to store the recording. However, you need to ensure a failsafe situation that means a call which is justified is stored without any potential error by the agent receiving the call to authorise the storage.
How to ensure GDPR compliant call recordings?
The solution lies in developing a data protection policy for call recording which adheres to industry regulation, meets the requirements of GDPR and doesn’t scare the caller off before their enquiry gets answered. The key is to be transparent with your customers and trusting that they will respect your transparency by providing consent. If consent is not provided, then be OK with that, but inform the agent receiving the call so they fully understand what can and cannot be discussed on the call.
This goes along the lines of:
- Customer calls in to your call centre.
- You answer with an IVR along the lines of “Hello, we’re going to be discussing your finances and may be providing you advice, so are required to record the call to meet industry regulation. To consent to this call being recorded press 1, if you still want to talk to us but do not provide consent to the call being recorded press 2”.
- The caller presses 1 and hears: “Thank-you, your consent has been noted”, and is placed in the queue, hearing hold music or announcements.
- The agent receiving the call hears: “The caller has consented to call recording”, while the caller continues to hear hold announcements so they understand the state of consent and therefore call recording.
- Both parties are connected with the call being recorded, with the agent having full control over the future state of call recording.
If, however, the caller declines call recording they hear a prompt such as: “You have declined to having this call recorded. Unfortunately we will be unable to discuss financial matters with you, but stay on the line and we will answer your call as soon as possible”. The agent will be informed that the call is not being recorded with the message: “The caller has declined to call recording” prior to being connected.
Another option is to have the agent receiving the call obtain consent from the caller in such a way that the consent process is stored. If the consent is declined, then recording is immediately abandoned.
What happens if a caller submits a GDPR complaint?
In the event of any kind of complaint against your call recording process, you must be able to provide a robust response. The irony being that GDPR is actually forcing businesses to store more data on the details of a call than less.
In the event of any kind of complaint against your call recording process, you must be able to provide a robust response. The irony being that GDPR is actually forcing businesses to store more data on the details of a call than less. Click To TweetAny call recording that is stored should have all evidence backing up the justification for the call recording as well as clear and absolute evidence of the consent being granted. If you play prompts to gain consent, and receive input from the caller, then this needs to be stored in such as way as to be clear evidence for that specific call. The actual prompts played will need to be versioned for that call, or the consent must be audible within the recording.
Finally, the process of handling any withdrawal of consent needs to be catered for, either by request of the caller or by the agent who has identified the recording of the call is no longer necessary. This requires interactive input from the agent for controlling the state of recording. And, as part of this the agent should also have the ability to temporarily pause recordings and resume them if the topic of conversation drifts into an area where the justification for call recording does not cover, or another regulation overrules (for example PCI-DSS when taking card payments over the phone).
One thing that should not be overlooked is the inclusion of call recording into your privacy policy, and ensuring this is visible to customers. Your privacy policy should state clearly and in natural language:
- How you handle customer data.
- How long you handle it for.
- How a customer can revoke consent.
Any prompts you play to customers should lean on your existing privacy policy to reduce the amount of information that needs to be relayed by voice. If a customer invokes their right to be forgotten, any system you use for call recording needs to have sufficient capability to identify any calls made to or from that customer and contain the ability to permanently remove unwanted call recordings – including from any backups or replicas, which is a frequently ignored requirement.
So how exactly will Xewave solve your GDPR problems?
We’re no silver bullet, nobody can be. Essentially in terms of GDPR we are a “Data Processor”. Our duty is to provide the necessary tools, capabilities and underlying security to you, the “Data Controller”, so that you can create a call recording environment that meets the requirements of your Data Protection Policy.
Our GDPR-compliant cloud PBX provides a centralised, cloud based Unified Communications solution that exceeds the needs of your regular users and your contact centre in a single enterprise-wide solution.
On Xewave, you create Call Recording Profiles which govern the entire call recording process. This enables you to specifically define the justification for call recording, the opt-in process and control all elements of the call recording in terms of the prompts heard by all parties and the capabilities available to the user controlling the session.
When we record calls, we also maintain a versioned copy of the call recording profile alongside the call as well as all prompts played to the caller and any inputs received, with the specific intent and meaning of all prompts and inputs logged. So if you need to back up any complaint with clear evidence of how you adhered to your Data Protection Policy, then you have all the information you need right alongside the call recording itself.
Our solution provides a centralised, cloud based Unified Communications solution that exceeds the needs of your regular users and your contact centre in a single enterprise-wide solution.
Agents handling a call have full control over the state of call recording based on permissions granted to them in the recording profile, with the ability to start, pause, resume and stop call recording being available. Also, the state of call recording at the start of the call can allow either immediate recording, stopped requiring start by the agent, or pre-recorded where call recording begins immediately but must be authorised for storage by the agent.
We store all call recordings in our own data centre facilities and use the highest strength encryption available. All access to recordings is controlled and audited.
While all of our services are highly available with data secured and replicated, we never store data outside of our own domain. This means that when you are required to delete a call recording, doing so in our portal ensures there are no stray copies of the data.