You need to have JavaScript enabled to experience the full functionality of this website. Please enable JavaScript and reload the page.

CALL US

CALL FOR CUSTOM QUOTATION,
BILL ANALYSIS OR CHECK SITE
READINESS

SALES : +353 1 524 2225 SUPPORT : +353 1 524 2000
GET A QUOTE
gdpr guidelines for a business recording calls

GDPR and Call Recording: 6 Best Practices for Your Business

by

Business call recording is a must-have for every company. Not only does recording help you to train teams, it can improve customer satisfaction

In short, you’re at a big disadvantage if your phone system does not feature call recording for business. 

However, business call recording laws are ever-changing. Businesses can no longer record a telephone call without obtaining explicit consent to record. This is since the introduction of GDPR in 2018. 

As a result, businesses may struggle to grasp GDPR compliance for call recording. This post will outline the different types of phone call recording. We will also set the record straight on the legal side of recording conversations. 

What is Call Recording and Why is it Important for Business?

Call recording allows your business to record a 1-to-1 call or conference call. Calls can be recorded on PSTN and VoIP phone systems. Calls are stored as an audio file. 

This feature is also known as voice logging or voice recording. Once a call is recorded, the file can be played back, stored or shared for many vital business purposes. Examples that help improve customer service include:

  • Training: Listening back on sales or support calls helps train teams. Rather than listening in real-time, managers can review a selection of calls. Afterwards, offer feedback to teams. This is useful for new starters, new products or struggling team members. 
  • Quality: Businesses can also improve the quality of calls by recording conversations. Listen back on the tone of voice, knowledge and temperament. Find gaps and help agents meaningfully engage with callers.
  • Dispute Resolution: Call centers with high call volume need to resolve disputes fast. This is needed when a customer makes a claim that cannot be recalled or verified by an agent. Listening back can solve issues before they become a larger problem.
  • Compliance: Businesses in the medical, finance or public sector may need to record calls. Recording can help verify that a company is compliant in other ways.
  • Real-Time Insight: Marketing teams benefit from real-time insights. They can even use call recording to get positive customer sentiment. This can lead to case studies or even new product ideas.

Blueface call recordings can be accessed from our easy-to-use UC Portal. Quick access from anywhere helps with higher sales conversions and faster support ticket solutions.

On top of that, cloud call recording helps with hybrid work or remote work policies.

What is GDPR?

General Data Protection Legislation (GDPR) is Europe’s tough privacy and data security law. Enacted on May 25, 2018, GDPR is a framework for data collection, usage and deletion.

Why does GDPR exist?

GDPR exists because everyone has the right to privacy. In 2011, Google was sued for scanning a data subject’s emails. After this incident, the EU decided to act. Previously, a state-by-state approach existed which has been replaced by GDPR – a data framework for all party states.

GDPR compliance includes the following principles:

  • Lawfulness, fairness, transparency: Data processing must be lawful, fair and transparent to data subjects.
  • Purpose limitation: The purpose of data capture must be clear and explicit. In the context of recording, you must state the purpose of the recording. This could be training, quality etc.
  • Data minimisation: Collect and process only what you need.
  • Accuracy: Data must be accurate and up to date.
  • Storage limitation: Data can only be stored for as long as the purpose outlined allows.
  • Integrity and confidentiality: Data must be processed with security, integrity and confidentiality.
  • Accountability: A data controller must be able to show GDPR compliance.

Who is Affected by GDPR?

GDPR applies to any business that processes the personal data of EU citizens or residents. It also applies to businesses that offer goods and services to EU citizens or residents.

It would be normal to assume that GDPR only applies within EU states. This is incorrect.

A business located in the United States may mainly offer services to Americans. However, if this business collects EU visitor data, it may be subject to GDPR rules. GDPR also interplays with non-EU states’ data protection laws. 

  • United States: Data protection in the USA is similar to the EU pre-GDPR. There is a blurry set of laws that different states require businesses to follow. Federal law lightly empowers the Federal Trade Commission (FTC). The FTC can protect consumers against ‘deceptive practices’. This can include data handling or misrepresentation. California is improving its approach to data. CCPA (2018) offered stronger data protection for consumers. CPRA broadens the scope of the CCPA to include non-consumers. Data management is quickly becoming a matter of national security. Expect federal law to reflect this in the future.
  • Canada: Canada has recently added the Consumer Privacy Protection Act (CPPA). CPPA aims to give people control over how businesses manage their personal information. This law is very similar to GDPR.
  • United Kingdom: The UK is no longer an EU nation-state. It has its own data protection law. General Data Protection Law 2018 is the UK’s variation of GDPR. It largely covers the same rules. Particularly lawful, fair and transparent data collection.

Global MNCs have a requirement to fulfill data protection steps. Not just in their HQ’d country, but everywhere their international footprint exists.

Why is Call Recording Affected by GDPR?

Call recording is a core feature of any phone system. While the initial frenzy has slowed, GDPR compliant call recording is still a hot topic for customers.

Put simply, call recording and storing calls is data processing. However, call recording is different from voice recording. Voice recording may not have context or metadata that identifies a subject. Calls, on the other hand, have a number that can link to the subject. 

Call recordings often contain personal or sensitive information. Sensitive information may be card details, addresses, healthcare details and a lot more. GDPR changed how call recording consent and storage are handled.

Pre-GDPR Call Recording

Before 2018, regulations around call recording consent were a little looser. Stating that calls are recorded for training and quality purposes was enough consent. Unsurprisingly, businesses typically used this as a blanket statement. 

Pre-GDPR, the data approach varied from country to country.

This is detailed very well in Mania Aslan’s article on IAPP. Germany and the UK, for example, had call recording laws that predated GDPR. Germany required 2-party consent or recording was a criminal offence. The UK’s 1998 DPA simply needed to notify callers and offer an opt-out.

Post-GDPR Call Recording

Post-GDPR many wonder if  a business can still record phone calls? The answer is yes. However, training and quality declaration is no longer a catch-all. GDPR call recording policy demands businesses to be more specific. Otherwise, it is not legal to record calls. 

Follow these GDPR Guidelines for recording calls.

  • Specific Consent: All participants have consented to the recording for one or more stated and specific reasons. So, if the call will be used beyond training and quality, it must be stated. This is why you may hear “and for verification purposes” for example.
  • Contract: Call recording may be needed for a record of a contract. This is usually common with utilities. Verbal contracts are, after all, difficult to prove without a hard copy.
  • Legal Obligation: Call recording is necessary to fulfill a legal obligation. Specific industries, such as finance or healthcare, may have this obligation.
  • Protection: A business can show that recording is needed to protect the interests of one or more participants. This could be verifying that a payment has been made.
  • Public Interest: Recording the call is in the public interest or is necessary to exercise official authority. An example of this could be on-the-record public sector conversations.
  • Legitimate Interest: Call recording is in the interest of the business. This is providing it does not override the interest of the caller. Calls may be recorded in this case for marketing case studies.

Regardless of your call recording software for business, these rules should be followed. Use the following best practices to safeguard your business and callers.

GDPR Guidelines for Business Recording Calls: 6 Best Practices

Let’s explore the best practices to keep your business GDPR compliant. If you have a business phone system with call recording, this is vital reading. Follow these six best practices.

1. Obtain Consent

This is the easiest part of compliance. Your business needs to notify all callers that calls are being recorded. Every call participant must consent to be recorded.

Implied consent is no longer acceptable. A caller must actively consent to be recorded. Simply taking part in the call after being informed is not considered explicit consent. Explicit call recording consent can be obtained by having an agent ask. Explicit consent can be captured using DTMF (buttons on their phone’s dial pad).

2. Establish Purpose

Training and quality would be the most typical use. However, this is no longer a catch-all. If you are going to use it to resolve disputes, this must be stated. If you are going to use it to verify personal information, this must be stated as well.

Failure to do so will result in your call recording being non-compliant. You will run the risk of heavy penalties under GDPR law.

3. Clarify the When, Where and How

A large majority of businesses will only record using VoIP phone systems. However, if you have integrated PSTN landlines or mobile devices, this must be stated. It is not adequate to state that calls are recorded on just one device. 

If you record calls on any device, a caller must be informed. If not, explicit consent has not been captured. This is notably valid for large contact centres. Transferring calls from a landline to a mobile number? Consent must be obtained again.

4. Have Easy Access to Data

If a caller requests a recording, this must be fulfilled in 30-days. Blueface makes call recording access easy with the UC Portal. Calls are organised and are searchable by number and name. You won’t need 30-days, 30-seconds will do the job.

Start by verifying the caller is legitimate. Then you can share the call recording. Log in to the UC Portal. Download the file and share it with a chosen secure method. 

5. Capability to Securely Remove Data

Callers have a right to be forgotten. If requested, a call recording must be deleted. However, there are times when a business can decline to do so. If there is a legal hold, unfulfilled purpose or public interest, for example.

6. Ensure Data Security

Call recordings must be securely stored. Access must be limited to certain parties. Additionally, these recordings cannot be shared with third parties unless consented to. Failure to implement call recording security will result in heavy penalties. Any breach will also cause serious reputation damage.

Blueface allows customers to store recordings on the remotely available UC Portal. Advanced permissions mean that only set team members can access them. Storage is ISO compliant through private data centres.

Consequences of Being Non-Compliant

GDPR and call recording help businesses understand their responsibility. Failure to comply with the GDPR call recording policy will result in harsh fines. GDPR recording calls penalties can be up to €20,000,000 or 4% of a company’s revenue. Whichever number is higher. 

Data subjects whose data is mishandled may also seek payment. So, you are liable if your security is not up-to-standard. Again, using phone call recordings for anything other than the stated context is a breach.

Choosing a Call Recording Software for Your Business

If you’re still choosing between providers for a call recording software for your business,  a cloud provider may be the best option. Hosted providers manage security for every aspect of your business phone system. This means that calls, recordings and conferences are airtight. Security protocols are updated unlike on-site machinery. It will save you money in the short term and long term.

Ensure that any provider you choose has multiple ways to switch on and off. Your software must offer easy access to recordings.

You can cut corners by choosing a non-compliant provider. This will cost you from a performance, security and compliance perspective. Easy access may be tricky without the right call recording software. 

Call Recording with Blueface

Blueface offers secure call recording software for business. Calls can be switched on and off from a handset, mobile or the UC Portal. Recording is available on a per user basis and comes with Blueface Business Unlimited. It can also be added to any basic account.

You can even record calls on your mobile with the Blueface Softphone. Softphones are classed as desk phones. As such, they are covered by the standard when, where and how.

All call recordings can be reviewed via the Blueface UC Portal. They can also be downloaded for local device review. This is, of course, with the correct permissions. So if a customer has a 30-day data request, you can comply in minutes.

SFTP transfer makes large storage easy and secure. Blueface is fully ISO compliant. That means that as regulation changes, your recording software evolves.

So, what are you waiting for? Press Play on Call Recording

Ready to start capturing customer sentiment? Want to turn your staff into super salespeople? Do you need a smart recording solution for your industry?

Contact our experts and get started today! No on-site machinery is needed. If you’re already a customer, we can set you up with call recording in seconds!