Call recording and data protection

The concept of data protection is not new. Previously known as privacy by design, it's always been part of data protection law and we as a vendor have always included data protection tools in our products.

The EU-wide General Data Protection Regulations (GDPR) came into force on May 25th 2018 and it is now a legal requirement that you should be using those tools, rather than it being left to good practise.

GDPR applies to any organization that collects, stores and processes the personal data of people who live in countries that are members of the EU.

Phone call recordings may contain people's personal data and are therefore subject to data protection regulations

When using our Echo product, you will likely need to be aware of GDPR regulations because the phone calls it records could contain personally-identifiable information such as names and addresses, and sensitive information such as financial, health, religious and sexuality information.

Data protection features

The data protection tools and features in our products help you comply with data protection legislation in the following ways:

  • Call recordings can only be accessed by authorized users
  • Call recordings are stored in an encrypted format
  • Call obfuscation masks out parts of phone calls containing personal data
  • Automatically remove calls older than a certain age

Lawfulness

Article 6 of the GDPR text states that at least one of the following criteria must be met in order for recording calls (in this case) to be considered lawful:

  • Consent
    The individual has given clear consent for you to record their call.
  • Contract
    The recording is necessary for a contract you have with the individual, or, because they have asked you to take specific steps before entering into a contract.
  • Legal obligation
    The recording is necessary for you to comply with the law (not including contractual obligations) such as financial regulatory law.
  • Vital interests
    The recording is necessary to protect someone's life.
  • Public task
    The recording is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
  • Legitimate interests
    The recording is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual's personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks)

When an individual does not give consent and there is no legal basis to record personal details in your phone calls, you can use the in-built call masking features of Echo to remove personal information from calls.

A general guide to GDPR is available from the United Kingdom's Information Commissioner's Office

Individual rights

GDPR provides the following rights for individuals in relation to any call recording that contains their personal information:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision-making and profiling

Free-of-charge product upgrades available to maintained customers often include new data protection tools and features

Security

GDPR requires you to process personal data securely, which is also nothing new.

In the United Kingdom, it replaces but complements the previous requirement to have "appropriate technical and organisational measures" (Data Protection Act 1998)

However, GDPR is more prescriptive about how you assess and implement the security you use when processing data. Whilst these are broadly equivalent to what was considered simply "good practice" under previous legislation, they are now a legal requirement.

Subject access requests

Under the right of access and right to erasure, data subjects are entitled to request copies of the personal data you hold about them and, if permitted, request a removal of such data.

These requests should be honoured in a timely fashion, according to GDPR legislation.

We added a Subject Access report in our TIM Plus and TIM Enterprise products to allow you to respond more quickly to subject access and removal requests

Does Brexit affect GDPR?

The UK has already implemented its Data Protection Act 2018 which was inherited from GDPR legislation so will not be affected by the UK's independence from the EU.

As with any other country that isn't a member of the EU, the obligations on UK companies towards "EU subjects" should be respected.