GDPR is complex and the specific rules around recording calls can be even more of a challenge to understand. So we’ve created this quick guide that explains what you need to do to stay on the right side of the law and how VoiceIQ helps to give you and your company peace of mind.
What is GDPR?
In an effort to control the use of data and return power back to its citizens, on the 25th May 2018, the EU introduced GDPR (general data protection regulation). GDPR ensures security over who can collect, store, and process personal data. Every company, regardless of size, that handles EU citizens’ personal data has to comply with GDPR — even if the company is based outside the EU. This means that any personal identifiable information you collect needs to be dealt with in a consistent, compliant way.
In total, there are 8 rights that you need to keep in mind when dealing with personal data. And to help you out, we’ve listed them below:
- Right to information - Your customers should know that their data is being processed
- Right to request - Your customers should be able to access the personal data you store on them and know what it’s being used for
- Right to data portability - Your customers have the right to access their data in a simple format to pass it on to another company
- Right to processing - Your customers can ask for their data to be processed by a human rather than a computer
- Right to be forgotten - Your customers can ask that all their personal data is erased when it’s no longer needed for the initial purpose
- Right to rectification - Your customers have the right to correct any incorrect information about them
- Right to restriction - Your customers can ask to limit the processing of data
- Right to object - Your customers can object to their information being used for marketing purposes
How does GDPR affect call recording?
However, those rights aren’t all you and your company have to consider. There are additional 6 conditions only for which call recording is permitted under GDPR.
- Consent - The most common justification used by companies for call recording is that of consent. If your company decides to use this condition, consent must be freely given, informed, and affirmative.
- Contractual obligation - Call recording can also be permitted if a company has a contractual obligation to record the call. For example, call recording may be necessary to fulfill a contract between you and your customer.
- Legal obligation - The third condition for call recording is for fulfilling a legal obligation. This is when collection of personal data is legally required. For example, your company may be legally required to keep track of personal data of employees for social security purposes.
- Public interest - If it is in the public interest, call recording may also be permitted. For example, a hospital would be legally required to keep track of patients’ medical records. However, this condition probably won’t be applicable to most companies.
- Vital interest - Call recording may also be permitted if it protects the vital interests of one or more participants. The difficulty of using this justification is that it is quite hard to define what determines vital interests. A police station for example has clear vital interest to record calls as they may form important evidence. For most companies however, this justification is probably not suitable.
- Legitimate interest - The final condition for call recording is when it is in the legitimate interests of the company recording, for example if data processing is necessary for their business. However, the subject must be informed about the recording, and the call recording must not impede the rights of the call subject. For example, your company may have legitimate interest when data processing is necessary to prevent fraudulent activity or network security.
What happens if a company doesn’t comply with GDPR?
With strict guidelines comes strict penalties! Failure to comply with GDPR requirements can lead to a fine of 4% of annual revenue or up to €20 million, depending on which is higher. If a data breach is recognised, companies must notify the supervisory authority as soon as possible — within 72 hours at most. For UK companies, this is the ICO (Information Commissioner’s Office) and more information about reporting a breach can be found here.
Over 200,000 breaches have been reported so far, the majority being complaints. And this is just the beginning! Most infamously, Google were fined for failing to provide simple and accessible information on their data processing, and also for failing to gain processing consent for ad personalisation. This cost them €50 million. Other instances include British Airways, who were fined over £183 million for a security breach when hackers accessed over half a million customers’ personal data. Similarly, Marriott International, Inc. were fined almost £100 million when the personal data of 339 million guests was stolen by hackers.
As you can see, GDPR requirements are tough for even the biggest businesses. Which leads us to…
How can VoiceIQ help?
Needless to say, GDPR laws are complicated and often difficult to navigate, but here at VoiceIQ, we believe there is a better way. Whilst we can’t help you decide which justification your company should use to record calls, we can automate the process of obtaining and recording if you decide to choose the ‘consent’ justification.
Using advanced Natural Language Processing, VoiceIQ’s Automatic Bookmarking recognises when someone says that they give consent to be recorded and contacted during a phone conversation. Once automatically tagged, VoiceIQ initiates workflows within the CRM to update the contact record. Equally, VoiceIQ automatically stops recording when someone states that they no longer want to be recorded.
This stops anyone from being recorded who doesn’t want to be and automatically prevents call recording until the contact updates their preferences. In fact, VoiceIQ does all the hard work so that you don’t have to!