As if call and contact centers didn’t have enough regulations to worry about already, the European Union’s General Data Protection Regulation, which came into effect on May 25, 2018, has added another to the list. Not only does it have sweeping provisions about the collection and retention of consumers’ personal data, it also has a set of robust provisions pertaining to call recordings. To make matters even more complicated, these provisions often clash with existing regulations around call recordings.
If you’re outside the EU and think you can get off scot-free, think again. The GDPR applies to any organization processing the data of European residents, even if that organization is based outside of the EU.
To help your organization navigate these tough regulatory waters, we’ve assembled some top tips that will help you to achieve GDPR compliant call recordings inside your contact center.
Call Recording Regulations Around the World
Besides the GDPR, there are a number of already existing regulations across the EU and US mandating rules around the recording of calls. Let’s take a closer look.
Before the enactment of the GDPR, several EU member countries had their own preexisting call recording regulation. According to Mania Aslan in her article for the International Association of Privacy Professionals (IAPP), “Germany, for example, is a two-party consent state, meaning call recording without the consent of both or, when applicable, more, participants is a criminal offense.”
Germany isn’t alone in having had laws on the books surrounding recordings prior to GDPR. Aslan goes on to write, “In the U.K., the Data Protection Act of 1998 (DPA) classifies call recording as a form of data processing, as recorded conversations have the potential to capture personal information, including names, addresses, financial details, religious beliefs, and medical records. Under the DPA, individuals must be informed about the purpose of the recording. When it comes to consent, however, tacit consent is assumed under the DPA as long as individuals are informed about the recording and given the option to opt out. In this way, an audible notification informing the participants that the conversation is being recorded for training purposes satisfies the DPA requirement.”
Call recording consent, with the number of parties required to agree to the recording, varies from state to state. For example, Penal Code section 632 of the California Invasion of Privacy Act (CIPA) requires all-party consent for recording confidential communications. Therefore, all inbound and outbound calls should be prepended with an announcement such as is commonly heard, “This call may be recorded for quality-assurance and training purposes.”
In the same vein as California only ten other states require the consent of all the parties involved for a call recording: Connecticut, Florida, Illinois, Maryland, Massachusetts, Montana, New Hampshire, Pennsylvania and Washington. In contrast, most other states only require the consent of one party, whereas the secret recording of calls is almost universally prohibited.
In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) stipulates that call recording must follow the rules outlined below:
- The individual must be informed that the conversation is being recorded at the beginning of the call.
- The individual must be advised of the purposes. The organization must be clear about the purposes; an organization should not state that it is recording the conversation for quality assurance purposes if, in fact, the recording will be used for other purposes.
- If the caller objects to the recording, the organization should provide the caller with meaningful alternatives.
Under the country’s Telecommunications (Interception and Access) Act 1979, in addition to state and territory laws, parties generally must be notified that their call is being recorded and given the option to transfer to a separate line not subject to recording.
Industry Specific Call Recording Rules
In addition to government-mandated regulations around call recording, there are also a number of industry governing bodies that have rules around call recordings. For example, in the UK, the Financial Conduct Authority (FCA) requires financial firms, including brokers, banks and investment managers to record complete phone conversations. The FCA deems that full recordings are useful across all sectors to assuage transaction disputes and ensure that customers are treated fairly, consistently and are given the correct information and advice. Similarly, in the US, the Financial Industry Regulatory Authority (FINRA) enforces special supervisory procedures, including the tape recording of conversations, for certain broker/dealer firms when they have hired more than a specified percentage of registered persons from firms that have been expelled or that have had their broker/dealer registrations revoked for violations of sales practice rules. These are just a few of many industry rules.
Call Recording Under GDPR
In opposition to many of the aforementioned examples of call recording regulations, the GDPR offers stringent guidelines as to when a recording may occur and how the record must be treated. Because they often contain personal information, the recording of calls is considered a form of data processing and is therefore subject to all the rules around it. This means that tacit consent will no longer suffice. Individuals will have to explicitly agree to have their call recorded and using messages like “This call will be recorded for training purposes” will not be enough to secure consent.
As Dóra Rapcsák explains in her article for VCC Live, “Organizations will need to justify that their purpose for recording calls fulfills one of the conditions below:
- Individual(s) involved in the call have given their consent to be recorded (oral acceptance during the call, consent after receiving a message, or consent as part of a customer agreement)
- Recording is required to fulfill a contract to which the individual is a party
- Recording is required to fulfill a legal obligation to which the recorder is subject
- Recording is required to protect the interests of one or more participants
- Recording is in the public interest
- Recording is in the recorder’s interest unless those interests are less important than the interests of the individuals in the call”
In addition to securing the explicit consent of the customer and having a legal purpose for recording the call, organizations will also have to keep this record accessible and be able produce it within one month, should a customer submit a Subject Access Request. At the same time, should a customer invoke their “right to be forgotten”, organizations must have the ability to permanently delete the audio file of the recording in order to remain compliant with GDPR, which in some cases is easier said than done.
How to Ensure GDPR Compliant Call Recordings
Apart from only recording calls under a legal basis and having the ability to produce or delete recordings upon request, it helps to take a page out of the book of PCI DSS compliance when it comes to making sure your call recording practices are GDPR compliant. The PCI DSS states that no Sensitive Authentication Data (SAD) can be stored on call recordings, so many organizations have turned to technology solutions to keep this data off recordings entirely.
DTMF masking solutions, like Semafone’s Cardprotect, allow callers to input numeric information using the keypad on their phone. This method effectively keeps Personally Identifiable Information (PII), like credit card numbers or passport numbers, among many others, off call recordings by masking the dial tones. The caller stays in constant communication with the agent, while the digits they enter are rendered indistinguishable, resulting in a better customer experience and reducing your cybersecurity risk, because after all, hackers can’t access the data you don’t hold!