If you have a voice over internet protocol (VoIP) telephone system, then it falls under certain data protection regulations.
GDPR came into force in May 2018, and even though the UK is now not an EU member, there is little change to core data protection principles under UK data protection law.
Personal Data Protection
The Data Protection Act 2018 (DPA) controls the use of people’s personal information and is effectively the UK’s implementation of GDPR.
Therefore, when using your VoIP system, you must follow strict data protection principles. These say that the use of personal data must be:
- Fair, lawful and transparent
- For specified, explicit purposes
- Adequate and relevant
- Accurate and up to date
- Not kept any longer than is necessary
- Properly secure.
Appropriate security of personal information includes protecting it from unlawful or unauthorised processing, access, loss, damage or destruction.
Consequently, you need to have a clear set of data protection procedures in place, which you can demonstrate, and which cover the use of VoIP.
How Does Data Protection Affect VoIP?
One of the fundamental features of VoIP is call recording. Therefore, if you are going to record incoming customer calls, you will need to be able to justify this legally.
There are six different data protection conditions, under which you can record calls:
- Your company has a legitimate interest in recording calls and using personal data as clients would expect, with a minimum impact on their privacy.
- The caller has given their clear, positive consent for call recording
- It is a legal requirement in certain situations
- Call recording is part of a contractual obligation to your client
- It is necessary to protect the interests, or life, of a client
- It is needed for carrying out an official authority.
The Importance of Caller Consent
Under data protection rules, the caller or user is in a very strong position. They need to give their explicit consent for you to collect their data via call recording, and they can withdraw this consent at any time.
If you’ve recorded a call and the caller no longer wants you to keep this data, then they can request that you delete it. You must comply unless there is a legitimate reason for keeping it.
Applying Data Protection to VoIP
Examples of how you would apply data protection under the various conditions listed above include:
- In the financial sector, companies are legally obliged to record calls with clients
- Energy companies recording meter readings given over the phone are fulfilling a contractual obligation
- Recording calls in a call centre for monitoring and training purposes falls under the legitimate interest and carrying out official authority conditions.
In this last example, it is important that the caller gives their consent explicitly, and that any privacy considerations do not outweigh the need to carry out something officially.
Another area for data protection concerns when using VoIP is taking payment details over the phone.
If you’re using a call recording feature, you need to be sure you aren’t recording someone’s card details if they give them over the phone when making a payment. Doing this would be a breach of Payment Card Industry Data Security Standards (PCI DSS) rules.
Two ways of ensuring you don’t breach the rules in this situation would be either to pause the call recording. Alternatively, transfer the call to a phone that isn’t part of the call recording system. For either option, it makes sense to include these functions into your VoIP specifically if your business takes payments in this way.
Non-compliance with Data Protection
Breaching data protection regulations can result in hefty fines. In 2018, the maximum fine set for infringements of GDPR and DPA was £17.5 million, or 4% of annual turnover.
Not all data infringements lead to fines, but they can lead to official warnings and reprimands, temporary or permanent bans on data processing. Suspension of data transfers and ordering the restriction or deletion of data.
There’s also the issue of reputational damage. If it becomes public knowledge that you’ve breached data protection rules, this could have serious long-term implications for your profitability.
When Does EU GDPR Still Apply?
The EU GDPR may still apply to your business if you operate in the European Economic Area (EEA), offer goods or services to individuals within it, or monitor the behaviour of individuals in the EEA.
If companies within the EEA send you personal data, they must comply with GDPR when doing this. Therefore, it’s best that you work out in advance the best way of transferring personal data in this way.
Find Out More About VoIP
We supply high-quality, innovative VoIP solutions to our resellers, helping them to build profitable businesses.
Call us on 02200881182, email us at sales@vipvoip.co.uk or fill in our contact form and we’ll be back in touch as soon as we can.