GDPR and Call Recording

Transcript of the Video

Good evening ladies and gentlemen, Suzanne Dibble, data protection law expert coming to you raw and uncooked after a fantastic implementation day today, where we had 100 spaces on the implementation day, 100 spaces were taken, and we all got together at 9:30 this morning, we finished at 4:30, and we cracked through an awful lot. And the feedback at the end was phenomenal.

I think people got a great deal of clarity out of it, and moved their compliance efforts forwards in great strides. So, thanks to those who came on that implementation day today and were so ... I was going to say devoted. Yes, they were ... Today they were devoted to GDPR, and they did a fantastic job. So, well done to you guys.

Okay, so a quick video tonight, because I've been talking literally solid from 9:30 to 4:30, my voice needs a bit of a rest. I wanted to pick up on a question in the group, which was about GDPR and recording phone calls, which we haven't touched on yet.

So, I haven't been able to find much comment on it, so I'm interpreting the legislation. So, as always, we ask ourselves certain questions when we're thinking about GDPR that will help us to apply it in practical situations.

The first is, am I processing personal data? Well, if what you talk about on the phone call that's being recorded enables you to identify an individual, then that is personal data, and it brings you within the realms of GDPR.

Are you processing that data? Yes, by recording that call and storing the recording, then yes, you're processing that data.

So your next question is, what is my lawful ground of processing, and if you've watched my overview training, or pretty much any of my other videos you'll know that there are the six lawful grounds of processing, and if none of them apply you can't legally process that data, okay?

So, there's three that are relevant to the issue of recording phone calls. The first is consent, the second is necessary for compliance with a legal obligation, and the third is where it's necessary for the purposes of the legitimate interests of the controller, except where such interests are overridden by the interests, or fundamental rights and freedoms, of the data subjects.

So let's talk about legal obligation first, because that's the most straightforward. If you've got a legal obligation to record a phone call then that's great. That's pretty cut and dry.

Now, where it's not so cut and dry is between whether you need consent and legitimate interests. Now, the temptation might be to think FAB will just say we're going to use the legitimate interest to record all our calls, that's nice and easy, we don't need to mention it to the person on the other end of the phone call, and, you know, that's all tickety-boo.

Not quite so easy. If you've listened to any of my videos on the legitimate interest you'll know it's a bit of a gray area. You have to carry out this three-stage balancing test, and you have to keep that on file. And really it's ... If it was to look after the interests of the data subject, it's not black and white, it's a bit of a gray area, it's definitely not the easy route out.

A Contract, that is more ... It's more ... Not contracts, consent. Sorry, consent. It's obviously more black and white. If people give you consent then, you know, you know you've got your consent. The problem with it is, are people actually going to consent to have their phone calls recorded? So, that's the question that you've got to ask yourselves.

Now, with legitimate interests, the other thing to think about is you can’t mention it at all. You would have to be upfront with the person on the call and say what you're recording the call for, what your ground of processing is, and tell them about their right to object to the processing on the grounds of legitimate interests, okay? So it's not just a case of oh, we'll just rely on legitimate interests and not say anything. You have to point that out to the data subject.

Equally, in terms of thinking about consent, then you have to make sure that it's a GDPR standard of consent, and I'll to the ICO checklist on consent underneath this video. So, you know, again you have to think about issues like if they don't consent, then have all of the telephone operators got the software, and the ability to turn off the recording for that individual person that you're talking to. Are they ... You know, they'll need full training as to what to say, how to make sure that it's not recorded, etcetera.

And also, you need to give people the right to opt-out. Now, I'm not saying that you need to give them the right to opt out in the middle of that phone call, but if you are considering relying on a consent given ... you know, at one point in time, for all future phone calls with them, then remember you've got to give them the right to opt-out of that consent. Same ... Actually, the same with legitimate interests as well, you've got to remind them of their right to object to the processing.

So, other things to think about are the privacy notice, because as we know ... Oh, sorry, just before I move on, actually, explicit, sensitive data. So if the phone call is containing sensitive data and you're wanting to record it, then you need an extra condition for processing that data, and that is either explicit consent from the data subject, although at the moment the draft data protection bill in the UK only talks about consent, not explicit consent, for processing special category of data. There are also the grounds like the ... the health ground. I'm ... A bit more complex than that, but that's how I'll summarize it.

So .. And I've done a video on what those extra conditions are for sensitive data, so don't forget that. If you're recording calls and there's sensitive data on them, make sure you've got that extra ... That extra condition for processing the special category data.

So, privacy policy, okay? So, what Article 13 says is that where personal data relating to a data subject is collected from the data subject, the controller shall, at the time the personal data is obtained, provide the data subject with all of the following information, and then it lists all of the things that are included in the privacy notice.

So how do you do that on the call without doing a sort of 15-minute preamble before you actually get stuck into the call? And, well, what I would do is I would explain the purposes of ... Well, explain the fact that you're going to be recording it, or that you'd like to be recording it, explain the purpose of the recording, and then explain the lawful grounds on which you're processing it. And if it's consent, then obviously at that point you would obtain the consent of the data subject.

Now, do you need to trot out the rest, I don't think anyone would think that's reasonable. I'm sure you'd be able to say, just to let you know that we will be processing and be safeguarding your personal data in accordance with our privacy notice that you can find at blob, and direct them to the relevant place in your website. So, don't forget about that.

And then, also, other things to think about in terms of call recording are think about security aspects of it, especially where it's involving sensitive data. Think about procedures for data subject rights. So, if people write in and say, "What data are you holding about me?" Then don't forget to be able to identify personal data contained in recorded phone calls.

The right to be forgotten, again, you know, make sure you've got processes in place to reflect that. If they ... If you're relying on legitimate interests and they object to that ground of processing, and object to the processing, then, again, you need to have systems in place to make sure that the recordings are deleted, and that no ... You know, if you phone them again for whatever reason, that the phone calls aren't recorded going forwards.

If you're relying on consent, again, they can opt-out of that. So, again, you'd need systems in place to make sure that they're opted out properly. And also, if you are relying on consent, then remember there is the obligation to record and keep a record, of that consent. So think about how are you actually going to do that in your systems. How are you ... you know, are you going to, on your CRM system, have a new box that says, you know, customer, or prospect, or whoever it has consented to the call being recorded, and keep a note that way.

So there's quite a lot to think about in the context of GDPR. Again, you know, my views are that if you're upfront about what you're doing, and you have a good reason for why you're doing it, then hopefully you'll be able to carry on recording your phone calls, whether that be under a ground of consent or a ground of legitimate interests.

So those are my thoughts. If you do a lot of call recording yourself then comment on the video and let me know if there are any specific situations that you're thinking about, or whether this has answered the questions that you have.

And I think that's probably it for now, but basically what ... On all of these practical questions, we just need to ask ourselves the series of questions about how GDPR applies, and, really, the critical one is what is the lawful ground of processing. And I think here if you've got the legal ground, that's straightforward, otherwise, you know, I think it's a fairly difficult decision between consent and legitimate interests.

So, let me know if you do process phone calls, which ground you think you will be using. Okay, so I hope that's helpful for those of you who do record your calls and keep your questions coming. I've got another ... Goodness me. Oh, my word! 25 day ... Well, 24 days, I think, after this one, so another 24 videos.

And yes, yes, yes, for the web designers here, I am going to be doing a ... either a video or a Facebook Live for you guys, it's just I want to make sure that it is ... It's a quite an expansive area, so I can't just quickly ... You know, I'm going to have to prepare, make sure that it's all covered, and make sure that it's all right. So, it's not a 5-minute job is what I'm saying. So, I'm hopeful that that will be tomorrow or the next day, so watch out for that.

So thanks, as always. I'll see you tomorrow.