The General Data Protection Regulation (GDPR) is a new piece of EU-wide legislation, designed to help consumers take control of their personal data, which will mean organizations will need to review their data storage in order to protect their customers.
It is an answer to an increased need for advanced protection for all those data we all constantly provide on the internet, in a period when malware are growing both in number and strength.
GDPR has to be respected not only by European Companies, but even by all those extra-European Companies managing EU citizens’ data.
Call recording is classified as a form of ‘data processing’, as it can include name and addresses, and personal information, such financial or health information.
Related to call recording, Business will need to justify their recording of information complying (lawful processing) with at least one of the following 6 conditions:
- The people involved in the call have given consent to be recorded
- Recording is necessary for the fulfilment of a contract
- Recording is necessary for fulfilling a legal requirement
- Recording is necessary to protect the interests of one or more participants
- Recording is in the public interest, or necessary for the exercise of official authority
- Recording is in the legitimate interests of the recorder, unless those interests are less important than those of the participants
Businesses wishing to conduct call recording will have to draw up a specific call recording policy, Principle of Accountability, Article 5 (2), outlining which of the processing conditions they believe apply and why, detailing how they will go about things such as obtaining consent from participants, and measures in place to protect recordings from misuse.
Controllers (say how and why personal data is processed) and processors (act on the controller’s behalf) are specific roles looking after those activities.
The other 2 important requirements of GDPR are:
- Data portability, Article 20 (1-4), which introduces the right for individuals to obtain and reuse their personal data for their own purposes. Controllers and processors must provide the personal data in a structured, commonly used and machine readable form (ex, CSV files)
- Right to erasure, Article 17 (1-3), which introduces the right for individuals to have personal data erased and to prevent processing in specific circumstances
In summary, companies will need to address the GDPR on two fronts:
- Training: Policies and protocols need to be spread across the organisation to ensure all staff are aware of the changes.
- Products: Call Recording solutions able to play recording announcements, support on demand recording and storing audio files safely with multi-level access will be required.
In case the non-compliance was related to technical measures, the fine may be up to an amount that is greater of €10 million or 2% of global annual turnover (revenue) from the prior year. Should the non-compliance be related to the breach of key provisions of the GDPR, the fine rises to an amount that is greater of €20 million or 4% of global annual turnover (revenue) from the prior year.
How Imagicle can help
Imagicle Call Recording is compliant with GDPR, allowing to play recording announcements and get confirmation for recording, supporting either always-on and on-demand (selective) modes, providing encrypted storage and role-based access to recordings.
- Recording Announcement – built-in recording notification, to play recording announcement at the beginning of conversation to notify the customers, that the call may be recorded, with optional possibility of customer to digit a DMTF key to accept recording (via IVR Module)
- Selective and On-Demand Call Recording – Organizations can choose which lines to record in either always-on (total recording) or on-demand (by manually pressing a Rec button)
- Secure Call Recording and Encryption – for securely record voice calls and store in encrypted AES format.
- Tampering detection – to validate the authenticity of any recording file, ensuring that call recordings remain intact and unaltered.
- Flexible Retention Policy – Administrator can easily configure retention period for call recordings.
- Role-Based Privileged Access – Access to data is password-protected and provided to authorized users only. Role-based access control allows to define user’s rights, with possibility to search and retrieve recording for a certain external number/contact and delete or export.
- Audit Trail – full audit logs of actions performed within the system as of Winter’18, such as access to call recording, deletions of files, exportable in csv format.