GDPR Compliance and what action should be taken with respect to call recordings and other communications data.
Under the GDPR, individuals will have the right to access, change and have removed any of their personal data. This means that contact centres must ensure that the information they house is not only properly stored but also made available to legitimate customers.
To build compliance a review of all data acquisition, storage and processing practice across an organisation should be undertaken. This will enable businesses to identify any required changes to infrastructure, systems procedures.
Key considerations for users of call recording systems are:
Consent and Reasons to Record
Businesses wishing to record telephone calls will be required to actively justify legality, by demonstrating the reason to record fulfills any of six conditions laid down by GDPR. If the conditions cannot be met it may be necessary to put a process in place which provides positive consent to record.
Old Media Format Archive Data
Archived call recording data that is held on aging physical media formats such as tape-based and optical media will pose a compliance risk for any businesses that continue to depend upon it. If it is not necessary to continue to store this data it should be disposed of or if it is required to be kept it should be transferred on to an up to date media format and secured.
All call recording data storage infrastructure that is old or approaching its end-of-life is a risk and should be replaced with modern infrastructure with advanced security measures and data migrated.
Legacy Recording Platforms
Using legacy recording platforms that are out of date or no longer supported by the manufacturer are a potential compliance risk as they may not have the data management or advanced search capabilities required to easily comply with GDPR. Consideration should be given to updating or replacing these old call recording systems and migrating data on to a new secure platform at an early date.
Search and Locating Data
Thought must be given to how and where recordings are stored as customers will have the right to request access to any personal data being held. Organisations will have to identify, access and, if requested, provide and delete any recordings of interactions that contain captured personal information within one month. Organisations should consider how they will search for and access all of the call recording data that they hold that can be used to identify an individual must be easily found and managed. Historical recordings on old infrastructure may be a particularly difficult challenge. Modern advanced search and analysis technologies will ease the compliance task so consideration should be given to upgrading any existing systems or if necessary replacing with a completely new call recording platform.
A proactive approach to risk management is a common requirement with most new regulations and businesses are being expected to demonstrate to regulators that they have taken all reasonable steps to mitigate exposure to risk.
Storacall has considerable experience in migrating historical recordings from old systems on to new platforms and will be pleased to discuss GDPR compliance solutions so contact Storacall today and find out how we can help your business become compliant.