From blog posts to newspaper headlines, most of us have heard about the EU’s General Data Protection Regulation (GDPR), the huge impact it has had on our privacy practices, and the considerable fines associated with non-compliance.
By now, every business that handles the personal information of EU citizens should be compliant. But with so much personal information flowing around the average contact centre, are you confident you’ve addressed every detail?
We’re keen to support our customers with some basic guidance on how GDPR may affect the way you use your hosted contact centre solution. You can get more comprehensive advice in our free eBook, Preparing Your Contact Centre for GDPR Compliance. However, in this post, we begin with how you will need to reassess your call recording practices in light of this change.
Defining a lawful basis for contact centre call recording
Fundamentally, GDPR reinforces that businesses need a lawful basis to process and store personally identifying information. This is something that must be assessed and documented by anyone that controls or processes data.
According to the Information Commissioner’s Office (ICO), there are six lawful bases for processing personal data:
1. Consent: The data subject has given clear consent
2. Contract: The processing is necessary for a contract or in forming a contract
3. Legal Obligation: Processing is essential for complying with the law
4. Vital Interests: Processing protects someone’s life
5. Public Task: Processing is necessary for a task that falls under the public interest
6. Legitimate Interest: Processing is necessary for your legitimate interests or the interests of a third party – to such a degree that it outweighs the need for privacy
Some businesses may find that they already have a lawful basis for recording calls. In industries like finance, for example, call recording is a legal obligation.
However, those contact centres that record calls for training and monitoring will need to justify their processes as a ‘Legitimate Interest’. By carrying out a balancing test, you can weigh your commercial interests against your customers’ right to privacy - but this is often a complicated process requiring specialist advice.
In many cases, consent is the easiest way to lawfully record calls. However, this is made more complicated by the fact that, under GDPR, the nature of consent itself has changed.
Obtaining and recording active consent in your contact centre solution
Before GDPR, the UK’s own data protection legislation allowed for consent to be assumed in the majority of cases. That’s why web-based forms with pre-filled checkboxes became so commonplace, forcing data subjects to opt-out rather than opt-in.
Since May 2018, this kind of assumed consent is no longer valid. Whenever your contact centre solution initiates call recording, you need to ensure that a data subject has clearly and actively agreed to this, either during the call itself or as part of a customer agreement.
Ideally, your contact centre solution will support this with the convenient ability to turn recording on and off, or use custom fields to check for consent before recording begins.
Increasing a data subject’s control over personal data
It is also important to note that your obligations don’t stop after a call is recorded. GDPR gives data subjects more power to request a disclosure of any personal information you hold, or request that their personal information is removed.
If data subjects exercise their right to access the data, it is your obligation to provide this free of charge within one month. Similarly, GDPR is very clear that, if a data subject requests their data is removed, this is carried out ‘without undue delay’.
This is an area where your choice of hosted contact centre and call recording technology can play a critical role. Within the Hostcomm solution, it’s easy to run reports on calls involving a specific customer, or search recordings to find the ones you need.
As a result, you can handle these requests for access or erasure without delay – and without increasing the time and money involved.
Get a useful checklist for GDPR compliance.
