The two-year grace period for companies to react to the change in EU General Data Protection Regulations (GDPR) is nearly up. For many companies, January 2018 marks a milestone in GDPR readiness activity. The Christmas period no longer stands between the current state of the business and the May 2018 deadline. It’s time to roll up our sleeves.
Like many UK businesses, we are some way through mapping our information flows, identifying processes and systems and reviewing why we’re collecting the personal data that we do, what we use it for, and who we share it with. Even given our modest size and the B2B nature of our business, the map of our information system dealing with personal data is eyebrow-raisingly intricate. It’s easy to miss significant operational systems because of the natural focus on marketing activities, CRM and HR systems.
Voice Recording and GDPR
One of the applications that lie at the heart of many businesses, but might initially slip under the GDPR radar is the use of telephone systems for communication and the common use of call recording and voicemail. Telephone calls and recordings often contain the personal data of EU subjects and so are, without doubt, subject to the EU GDPR.
Telephony systems are ubiquitous, but can be somewhat backwards in terms of security techniques (e.g. 4-digit PINs for voicemail access, lack of encryption for call recordings, use of email attachments to move call recordings around) and a plethora of third party involvement, legacy platforms and processes that have evolved complacently without pruning for many years.
Hacking voicemail systems has been a hot topic in the UK’s recent memory. The furore surrounding the Leveson inquiry may have subsided, but it might serve to remind us that the consequences of breaches in information security of voice systems can involve business failure, massive reputation damage, and jail even before you factor in fines leveled by regulators for lack of evidence of compliance.
As recorded conversations have the potential to contain a host of personal information, including names and addresses, financial details and medical records it is already covered in the 1998 data protection act. Companies that are already assiduously compliant with current privacy law are unlikely to be taken by surprise by the changes in the EU GDPR. However, a lot of organizations, when they start looking at telephony systems in light of the EU GDPR, become aware of how far they might have drifted and how difficult it might be correct the course.
Companies that record telephone calls or support voicemail need to make sure that they have a legal basis for collecting and processing personal data that may be contained therein. They will have to actively justify the capture of conversations and put consumers rights ahead of their organization otherwise the recording could be deemed unlawful. Also, they should comply with all of the other aspects of the GDPR based on that lawful reason. This may include individual rights of access, challenge, amendment and erasure, security and notification of breaches.
There are clearly a number of situations where call recording is deemed lawful, examples include financial institutions that are required by law to record all calls, emergency services calls are in the interest of public protection and there are other sector-specific regulations.
But from May onwards, the magic phrase “calls are recorded for training purposes” may not be sufficient justification without the caller’s consent. Businesses need to look at how they change their processes (and possibly technologies) to better support the new-look data protection regulations. Data protection needs to be inherent within the design of voice systems alongside transparency and protection of the rights of the data subject.
activereach offers a range of feature-rich call recording and quality monitoring services that are utilised by contact centres for compliance, security and improving service levels. If you would like further information from a GDPR consultant then please contact us on 03302 234646.
