General Data Protection Regulation

General Data Protection Regulation

General Information

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a new regulation which is intended to strengthen and unify data protection law within the European Union. Through a range of far-reaching provisions, the European Commission aims to give data subjects across Europe increased ownership and control over their personal data assets – ensuring the right to a private life and to provide a simplified “one-stop shop” regulatory environment for the acquisition, the use and the storage of the personal data of European citizens.

The GDPR provisions are being incorporated into UK law via the new UK Data Protection Bill so will apply to UK businesses even after the UK leaves the EU. The GDPR came into force on the 24th May 2016 and is applicable from May 25th 2018.

Who has to comply with GDPR?

The GDPR will apply to any business or entity, regardless of their geographical location, that holds or processes the personal data of EU citizens.

General Data Protection Regulation Logo

This means that the scope of the GDPR will extend beyond the European bloc to include any entity which holds or process the data of individuals within the European Union. The UK Data Protection Bill ensures that all UK businesses will have to protect UK citizens in the same way.

The GDPR will regulate all data formats - audio, video, photographs, IP addresses, device ID’s and cookies - are all covered by the regulations. “Personal data” is defined as any data which may be used to identify an individual, either directly or indirectly, or as part of a collection of data spread across multiple systems. The GDPR has a broad definition of personal data and includes genetic, biometric, cultural, political, economic, social, mental and religious information.

The Key Issues

The GDPR is a complicated piece of legislation that will require a detailed analysis in order for organisations to fully understand how it will impact their operations and procedures. See Article.

Some of the key points of the GDPR include enhanced personal rights for data subjects, including:

  1. The right to be forgotten, The right to data portability, The right to greater access to personal data and the right to sue entities for failing to comply
  2. Increased importance in obtaining consent to hold and process data – this consent may be withdrawn by the data subject at any time
  3. 'Privacy by Design' – privacy must be built-in to data processing and handling procedures
  4. Breach disclosure: increased transparency through the mandatory reporting of security and confidentiality breaches to regulators and those affected within specified timeframes
  5. To conduct routine Privacy Impact Assessments (PIA’s) to regularly monitor exposure to risk
  6. The requirement to appoint a Data Protection Officer (DPO)
  7. Increased sanctions: the GDPR gives regulators the right to impose substantial fines for non-compliance – up to 4% of global turnover

GDPR Compliance and what action should be taken with respect to call recordings and other communications data.

Under the GDPR, individuals will have the right to access, change and have removed any of their personal data. This means that contact centres must ensure that the information they house is not only properly stored but also made available to legitimate customers.

To build compliance a review of all data acquisition, storage and processing practice across an organisation should be undertaken. This will enable businesses to identify any required changes to infrastructure, systems procedures.

Key considerations for users of call recording systems are:

  • Consent and Reasons to record
    Businesses wishing to record telephone calls will be required to actively justify legality, by demonstrating the reason to record fulfils any of six conditions laid down by GDPR. If the conditions cannot be met it may be necessary to put a process in place which provides positive consent to record.
  • Old Media Format Archive Data
    Archived call recording data that is held on aging physical media formats such as tape-based and optical media will pose a compliance risk for any businesses that continue to depend upon it. If it is not necessary to continue to store this data it should be disposed of or if it is required to be kept it should be transferred on to an up to date media format and secured.
  • Storage Solutions
    All call recording data storage infrastructure that is old or approaching its end-of-life is a risk and should be replaced with modern infrastructure with advanced security measures and data migrated
  • Legacy Recording Platforms
    Using legacy recording platforms that are out of date or no longer supported by the manufacturer are a potential compliance risk as they may not have the data management or advanced search capabilities required to easily comply with GDPR. Consideration should be given to updating or replacing these old call recording systems and migrating data on to a new secure platform at an early date.
  • Search and locating data
    Thought must be given to how and where recordings are stored as customers will have the right to request access to any personal data being held. Organisations will have to identify, access and, if requested, provide and delete any recordings of interactions that contain captured personal information within one month. Organisations should consider how they will search for and access all of the call recording data that they hold that can be used to identify an individual must be easily found and managed. Historical recordings on old infrastructure may be a particularly difficult challenge. Modern advanced search and analysis technologies will ease the compliance task so consideration should be given to upgrading any existing systems or if necessary replacing with a completely new call recording platform.

A proactive approach to risk management is a common requirement with most new regulations and businesses are being expected to demonstrate to regulators that they have taken all reasonable steps to mitigate exposure to risk.

Storacall has considerable experience in migrating historical recordings from old systems on to new platforms and will be pleased to discuss GDPR compliance solutions so contact Storacall today and find out how we can help your business become compliant.