Call recording is a widely used technique to drive business growth and success but businesses need to balance call recording with GDPR obligations.
Since the European Union’s General Data Protection Regulations (GDPR) came into effect, the landscape for all forms of data recording and collection has changed greatly.
The relationship between call recording and GDPR compliance can be a difficult one to navigate and so in this article, we examine how to implement best practices for call recording while adhering to GDPR guidelines.
Why do companies use call recording?
Call recording is the process of capturing audio exchanges and other data or screen activity linked to a phone call. Many companies collect these phone conversations to use the insights the data provides to drive better customer experiences and facilitate more informed business decisions.
Some of the benefits of call recording for business include:
Enhanced customer experience
86% of Irish consumers believe experience is as important as products.
The insights gained from call recording can help to advance customer engagement strategies, improve follow-up procedures and overall promote a better customer experience.
Supports employee training and performance
Call recording can also be used for employee training purposes. With a vault of real-life customer conversations to access and replay, new employees can learn more easily and understand better the do’s and don’ts when dealing with customers.
These recordings can also be used to evaluate current employee performance and provide feedback on areas of improvement where necessary.
The risk of litigation is unfortunately a reality that comes with running a business. A major benefit of call recording is that it creates a “paper trail” documenting the what, when and where of a conversation thread.
Providing all rules and protocols were followed, these call recordings can offer a quick and easy resolution to disputes that may arise.
According to a survey by PWC, 47% of consumers listed personal data protection as a key feature of brand trust.
In this data-driven age, people are more aware of how valuable their information is and many are pretty knowledgeable in the area of GDPR compliance, and their rights as data subjects. Call recording can help verify that a company is compliant should a request be made to prove so.
What is GDPR?
The General Data Protection Regulation (GDPR) came into effect in May 2018 and is a legal framework or set of regulations that apply to the collection and processing of personal information of EU citizens.
It applies to any business, regardless of whether that business is located in the EU or not, that processes the personal data of EU citizens or residents. Failure to comply with the GDPR can lead to stiff penalties.
The GDPR outlines six data protection principles that summarise its many requirements:
- Lawfulness, fairness and transparency – companies need to ensure their data collection practices are not breaking any law and that nothing is being kept or hidden from data subjects.
- Purpose limitation – The purpose or reason for the capture of data must be made explicitly clear. Most commonly this is for training, quality and verification purposes. Data must also only be held for as long as is necessary to complete that purpose.
- Data minimisation – Organisations must only collect and process the relevant personal data that they need to achieve its processing purpose.
- Accuracy – Data is required to be up-to-date and accurate. The GDPR states that “every reasonable step must be taken” to erase or rectify data that is inaccurate or incomplete.
- Storage limitation – all data that has served its purpose and is no longer deemed necessary should no longer be stored and so must be deleted.
- Integrity and confidentiality – The GDPR states that personal data must be… “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organisational measures”.
How does GDPR impact call recording processes?
Before the introduction of GDPR, regulations around data protection varied from country to country and regulations around the practice of call recording were not as strict. Companies could rattle off a broad statement to notify the caller that the call was being recorded but, in most countries, they did not have to wait for explicit consent.
Post-GDPR, however, is a different story. Implied consent is simply not good enough and, as per the six principles, organisations need to be more specific and transparent with the purpose for which the call is being recorded.
So yes, GDPR limits how businesses can collect data and what they can do with it, but it doesn’t stop it completely from using call recording as a business improvement technique.
The key is to find a way to balance call recording with GDPR. Below are some suggestions to make sure your company is complying with GDPR call recording best practices.
Best practices to balance call recording with GDPR
Establish the purpose of call recording
Begin each phone conversation by disclosing that the call will be recorded and for what specific purpose the recording will be used.
Without establishing purpose, the call will not be in compliance with GDPR and breaking GDPR laws bring with it heavy financial penalties.
Obtain explicit consent from the customer
Implied consent is no longer sufficient for call recording. Under GDPR rules, companies must obtain explicit consent from the caller and this can only be done after the caller has been informed of the purpose of the recording.
Confirm devices and systems used for call recording
Any device where calls are being recorded needs to be disclosed to the caller. Be it a VoIP system, mobile, an integrated PSTN landline or all of the above.
Store recorded data securely
All data must be stored in a secure location. It cannot be shared with third parties and access must be restricted to only those deemed absolutely necessary.
Ensure easy access to data
Recordings should be easily accessible in the event that a data subject requests them. Under GDPR, a 30-day window is allowed to find and provide the recording, however, with the right phone system in place, this can be retrieved in seconds.
Securely delete call recordings when requested
One of the rights for data subjects under GDPR is the “right to be forgotten”. Similar to the above, if a request is received to delete a particular call recording, this must be able to be done promptly and efficiently.
Finding the best solution to balance call recording with GDPR
Once you have established company best practices that comply with GDPR, you will then need to ensure your business is using a reliable VoIP system.