Understanding the GDPR Call Recording Rules

February 3, 2020

When the European Union’s General Data Protection Regulations (GDPR) came into effect on May 25, 2018, it changed the landscape of regulated data protection law and the way call centers collect personal data.  The GDPR also addressed the export of personal data outside the EU and applies to all companies processing the personal data of data subjects residing in the European Union, regardless of the company’s location.

The GDPR also applies to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to: offering goods or services to EU citizens (irrespective of whether payment is required) and the monitoring of behavior that takes place within the EU.  Non-EU businesses processing the data of EU citizens also have to appoint a representative in the EU.

The aim of GDPR call recording rules is to consolidate the different regulations, laws, and guidelines across European Union member states into a single, central source.  The ultimate goal is to strengthen the rights of EU citizens and give them more control over what information businesses collect and store about them.

How to Comply With GDPR Call Recording

Prior to the GDPR being introduced, all an organization needed to do to record a telephone conversation was simply mention it at the beginning of the call, explaining why the recording was taking place.  The onus was then on the recipient to carry on with the conversation or hang up if they weren’t happy to continue.

Now, in order to comply with GDPR call recording, consent must not simply be assumed but must be sought, following a clear explanation of why the call is being recorded.  The reason for call recording must fulfil one of these six conditions:

  • Participants have given consent to be recorded for one or more specific purposes
  • Recording is necessary to fulfil a contract to which the participant in the call is a party
  • Recording is necessary for fulfilling a legal obligation to which the recorder is subject
  • Recording is necessary to protect the vital interests of one or more participants
  • Recording is in the public interest or in the exercise of official authority vested in the recorder
  • Recording is in the legitimate interests of the recorder, unless those interests are overridden by the interests of the participants in the call which require protection of personal data.

In addition to ensuring that call recording is legitimate and consented to, it’s also vital that organizations are clear when, where, and how calls are recorded.  With call systems allowing integration between PCs, desk phones, and mobiles, it’s vital that compliance takes place across all devices.

Additional Components of GDPR Call Recording

Arguably the most important practice to remember about GDPR call recording is notifying customers when recording a call.  But there are other factors to the GDPR rules that must be accounted for as well:

Data Protection Requirements

As with all other forms of data collection, call recordings must be stored securely and appropriate security controls applied to prevent stored call data from being accessed by unauthorized individuals.  Organizations must conduct a risk analysis to determine the level of risk involved, and apply policies, physical, and technical safeguards to reduce risk to an acceptable level.

Data Retention Rules

Article 5 (e) of the GDPR explains that data can only be retained for the length of time that it is required to fulfil the purpose for which the data were collected. Recital 30 of the GDPR requires time limits to be applied for how long data can be retained.  When call recordings are no longer required, data must be disposed of securely.

Right to Access Personal Data

Data subjects have the right to access their personal data (GDPR Article 15), which extends to recordings of telephone calls.  If a request is received from a data subject to access their personal data, it is necessary to comply with that request within 30 days.  A company must therefore have the ability to be able to search for call recordings and provide copies as necessary.

Right to be Forgotten

A mechanism must be implemented that allows all personal data of an EU subject to be deleted if a request to do so is received from a data subject (GDPR Article 17).  When an EU resident exercises their right to be forgotten, all data – including call recordings – must also be deleted, provided that the deletion of such information does not violate state or federal laws and the data are no longer necessary for the purpose for which the information was originally collected.  The right to erasure similarly doesn’t apply for the establishment, exercise, or defense of legal claims, for archiving purposes in the public interest, or to exercise the right of freedom of expression and information.

So, in addition to securing the explicit consent of the customer and having a legal purpose for recording the call, organizations will also have to keep this record accessible and be able produce it within one month, should a customer act on their Right to Access Personal Data.  At the same time, should a customer invoke their Right to be Forgotten, organizations must have the ability to permanently delete the audio file of the recording in order to remain compliant with GDPR.

Organizations that don’t comply can face potentially massive penalties: up to 4% of their annual turnover – or 20 million EUR – whichever is greater.

Put Privacy at The Top of Your Compliance Practices

The NICE Compliance Center is a unique end-to-end compliance solution for contact centers, bringing together the abilities to visualize data and gain privacy focused insights, take actions on policies, and bridge siloes between data systems to efficiently manage interactions and policies.  With the GDPR/CCPA data privacy solution, users obtain actionable intelligence on their GDPR/CCPA related activities and can directly take proactive or corrective actions to ensure that their practices are aligned with the principles of the regulation.

 

The information presented does not constitute legal advice, and we strongly encourage anyone seeking more detailed information to enlist the services of a lawyer who is versed in the requirements for your industry and/or state.