In this VIP VoIP blog, we outline what will happen with GDPR and VoIP once the new GDRP rules come into force.
What is GDPR?
The General Data Protection Regulation (GDPR) will be enforced on 25th May 2018. This new legislation replaces the 1995 Data Protection Act (DPA) and aims at unifying separate EU national legislations into one EU law.
The legislation would be applicable to all businesses that handle any EU nationals’ data no matter where in the world they are. As long as the UK is still part of the EU, UK businesses will be subject to GDPR rules from 25th May.
Once Brexit has reached its conclusion and the UK is no longer part of the EU, businesses will only have to abide by GDPR rules if they serve clients who are part of the EU.
What will change?
When it comes to data protection, the current legislation is aimed at creating a balance between the rights of individuals and companies.
The new GDPR rules give more power to individuals, allowing them greater control over how their personal data is collected, recorded and used. GDPR also increases the penalties for companies that don’t comply with its rules.
GDPR key changes include:
• Changes in data breach notification process.
• Gives individuals more rights, such as the right to control how their personal data is being processed, request electronic copies, request their data to be deleted or to transfer it to another company.
• Companies should include data protection procedures from the onset of the designing of their systems, rather than as an addition.
• Companies should appoint data protection officers if they are public authorities, organizations that engage in large scale systematic monitoring, or organizations that engage in large scale processing of sensitive personal data.
What does that mean for VoIP users?
As all VoIP services provide call recording features, any companies wishing to continue recording their clients’ calls will be required to give a legal justification explaining why personal data is being recorded. This should fall under any of the following six conditions:
• The caller has clearly and positively given consent to be recorded.
• Recording is required to fulfil contractual obligations to a client.
• Recording is a legal obligation in certain situations.
• Recording is necessary to protect the interest or life of a client.
• Recording is needed for the exercise of an official authority.
• The company has a legitimate interest in recording and is using personal data as clients would expect and with a minimal impact on their privacy.
Each of these conditions can be applied to different types of businesses. Here are few examples:
• Companies that work in the financial sector are legally obliged to record calls with their clients so they fall under the third condition.
• Recording calls with the emergency services on the other hand is considered necessary to protect the life of clients.
• An officer in the City Council might record a call with someone who needs an interpreter to collect needed data. This is considered both an exercise of official authority and a protection of the client’s interest.
• Energy companies recording calls in which clients give meter readings would be considered required to fulfil contractual obligations.
• Recording in general for monitoring and training purposes like the situation in call centres falls under the first or sixth condition. However, GDPR puts more restrictions on these two situations. With the first condition, consent should be given explicitly and in a positive manner or it is not considered legitimate. In the case of the sixth condition, the privacy of the clients should not outweigh the interest of the company. If so, the company is not allowed to record the calls.
What if you didn’t comply?
Organisations found in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements such as failing to obtain explicit consent from a client to process their personal data.
What to do next…
It’s better to be prepared and start implementing necessary changes in your data protection protocol in advance so you aren’t caught short at the last minute. For more details and advice on the options available to ensure your VoIP service is compliant, please contact us on 0345 200 1185
One last thing…
VoIP call recording presents a further challenge when it comes to phone payments and the rules of Payment Card Industry Data Security Standard (PCI DSS). Read our article “VOIP CALL RECORDING – GDPR AND PCI IMPLICATIONS” to learn more about this subject.