HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

GDPR Call Recording Regulations

The General Data Protection Regulation (GDPR) call recording regulations will come into force on May 25, 2018. How will the GDPR affect how entities collect, process and store phone calls and phone information? In this article, we will examine the potential impact the GDPR may have on recording phone calls and some steps entities can take to comply with the regulations.

Anyone who has ever called a business or customer service line will be familiar with the automatic notice informing them that their call is likely to be recorded. Call recording is a common practice as it allows companies and organizations to monitor their customer care employees, have real world examples for training purposes, and have a definitive reference in case of a customer complaint or any other contentious issue.

Given the many important functions that are served by call recording and the enduring preference of many people to call companies for assistance or other reasons instead of using online chats or tools, call recording is likely to be an option that organizations will continue to use for the foreseeable future.

A number of regulations already exist governing telephone call recording and acceptable practices. The introduction of the GDPR will complement these – in some cases by reiterating rules that may already exist and in others by reinforcing or replacing them.

While the words “phone”, “telephone”, and “voice” do not appear in the text of the law, all personal data collected are subject to certain protections under the GDPR. As phone calls often include personal data such as names, addresses, health status, and other potentially sensitive information, the recordings must be protected in accordance with the law.

An important aspect under GDPR regards consent and knowledge regarding data collection. We mentioned the classic “calls may be recorded” disclaimer above however, under GDPR, this may not be sufficient to count as consent.

The text of the law reads “Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data […] such as […]  by an oral statement”.  The law specifically says that

“Silence, […] or inactivity should not therefore constitute consent”. The commonly used automatic notification informing people their calls are to be recorded, followed simply by the call continuing without any chance for the individual to give clear consent, is therefore not compliant. Organizations may have to add a step requiring consent to explicitly be given or begin every recorded call requesting consent from callers.

Any recorded phone calls must be stored somewhere in order for them to be processed. Storage must be secure. The GDPR notes that “measures [to protect data] should ensure an appropriate level of security, including confidentiality, […] in relation to the risks and the nature of the personal data to be protected”. It goes on to state that “consideration should be given to the risks that are presented by personal data processing, such as […] unauthorised disclosure of, or access to, personal data transmitted [or] stored”. Organizations must review the risks and the nature of data they collect in order to introduce appropriate security measures.

Recordings should also not be stored indefinitely. The law requires “ensuring that the period for which the personal data are stored is limited to a strict minimum” and that “time limits should be established […] for erasure or for a periodic review”. For some sectors, this will involve proving an ongoing legitimate interest for them to keep the data. For example, certain industries may have minimum lengths of time for which data must be kept to comply with other legislation.

One of the more potentially difficult areas introduced by the GDPR is the right to be forgotten. Individuals have the right to request that data pertaining to themselves be deleted by the organization. Unless a legitimate interest or other acceptable reason can be shown, the entity must delete all data or face hefty fines. This means that groups must implement a system that can catalog or identify the information of each individual to ensure it is all deleted should a request be received, or a time limit reached.