Updated 31st March 2018
What is GDPR?
The General Data Protection Regulation (“GDPR”) is European legislation that has been designed to try and harmonise data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organisations across the EU approach data privacy.
The GDPR comes into force on 25 May 2018 and introduces an enhanced EU-wide data protection regime that will have a direct effect on member states and any companies established outside the EU who wish to trade with within the EU.
Further information about GDPR is available on the Information Commissioner’s Office website at https://ico.org.uk
Who is this Statement for?
This statement is for customers of Teleproject UK who are currently using or considering using the Call Recording and Call Recording Storage features available as an Add-on to the Active Inbound and Active iPBX telephony services.
What is Changing?
The change that companies need to prepare for is the requirement to actively justify the capture of conversations and the processing of personal information.
Currently implied consent to a message such as; ‘calls may be recorded for training and monitoring purposes’ is enough to allow data capture to legally take place, under GDPR this will no longer be the case.
GDPR goes beyond existing laws, putting consumer rights above those of organisations and stating six conditions under which call recording is deemed lawful:
1. The people involved in the call have given consent to be recorded
2. Recording is necessary for the fulfilment of a contract
3. Recording is necessary for fulfilling a legal requirement
4. Recording is necessary to protect the interests of one or more participants
5. Recording is in the public interest, or necessary for the exercise of official authority
6. Recording is in the legitimate interests of the recorder, unless those interests are overridden by the interests of the participants in the call
Only one of these conditions needs to be met in order to justify recording the call.
For organisations in certain sectors, these conditions will easily be met due to industry specific regulations. For example, financial institutions regulated by the FCA are required by law to record all calls that lead to a transaction so would meet condition number three. Emergency services would be ok too as they would meet condition number five as call recording would be in the interests of public protection.
For most companies that record calls for ‘training purposes’ the only option is to gain the consent of the caller and meet condition number one.
What changes are Teleproject UK making?
We will be removing the ‘Record all Calls’ feature to prevent/limit the potential for call recording to take place without consent. This feature will be enabled for customers who can demonstrate that they are in a sector that can lawfully record all calls.
Moving forward the standard call recording feature will be ‘Record on Demand’ which by default will be set to a status of call recording is off when the call commences. Call recording can be turned on by using the *1 feature (or similar).
The record on demand feature can then be used to record calls when consent has been given and to capture the consent within the call recording.
Note: there will very soon be an overhaul of the login process to the Active inbound portal and the Call Recording Management area. These changes are of course designed to increase data security. In addition although no date has been confirmed the facility to have call recordings sent via email will soon be withdrawn.
Teleproject UK Recommends:
If you are a customer that already records calls and therefore has call recordings stored securely on the servers of our hosting partners, we recommend that in the short term you turn off recording and delete all stored call recordings. (we can help you with this)
Having taken the above action, you can then reinstate call recording in a GDPR compliant manner. Remember that your staff will need to consent to call recording too, so in addition to creating new procedures for capturing consent you may have to look at employment contracts and staff handbooks etc.
As part of this process you may want to make changes to your service for example removing the phrase 'calls may be recorded' from the Intro Message on your IVR or changing your IVR service flow so that callers who have consented to call recording via keypad selection are routed accordingly. For help with this please contact the helpdesk on firstname.lastname@example.org
Whilst under GDPR Teleproject UK is both a Data Controller and the Data Processor with regards to the information that we collect, store and process in order to provide our telecommunications services, the decision to record calls and to store call recordings lies with you our customer and in this respect you are the Data Controller.
According to Article 4 of the EU GDPR, the Data Controller and Data Processor roles are identified as:
Controller – “means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”
Processor – “means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”
Disclaimer: this statement is intended to give an overview of your obligations under GDPR in relation to the recording of telephone calls. It is not intended to be an exhaustive statement of the law and readers should not rely on it as legal advice. The circumstances of each customer will vary and you may wish to consult your legal advisers for advice on your own specific circumstances.