The concept of data protection is not new. Previously known as privacy by design, it's always been part of data protection law and we as a vendor have always included data protection tools in our products.
The EU-wide General Data Protection Regulations (GDPR) came into force on May 25th 2018 and it is now a legal requirement that you should be using those tools, rather than it being left to good practise.
GDPR applies to any organization that collects, stores and processes the personal data of people who live in countries that are members of the EU.
When using our Echo product, you will likely need to be aware of GDPR regulations because the phone calls it records could contain personally-identifiable information such as names and addresses, and sensitive information such as financial, health, religious and sexuality information.
The data protection tools and features in our products help you comply with data protection legislation in the following ways:
Article 6 of the GDPR text states that at least one of the following criteria must be met in order for recording calls (in this case) to be considered lawful:
When an individual does not give consent and there is no legal basis to record personal details in your phone calls, you can use the in-built call masking features of Echo to remove personal information from calls.
A general guide to GDPR is available from the United Kingdom's Information Commissioner's Office
GDPR provides the following rights for individuals in relation to any call recording that contains their personal information:
Free-of-charge product upgrades available to maintained customers often include new data protection tools and features
GDPR requires you to process personal data securely, which is also nothing new.
In the United Kingdom, it replaces but complements the previous requirement to have "appropriate technical and organisational measures" (Data Protection Act 1998)
However, GDPR is more prescriptive about how you assess and implement the security you use when processing data. Whilst these are broadly equivalent to what was considered simply "good practice" under previous legislation, they are now a legal requirement.
Under the right of access and right to erasure, data subjects are entitled to request copies of the personal data you hold about them and, if permitted, request a removal of such data.
These requests should be honoured in a timely fashion, according to GDPR legislation.
The UK has already implemented its Data Protection Act 2018 which was inherited from GDPR legislation so will not be affected by the UK's independence from the EU.
As with any other country that isn't a member of the EU, the obligations on UK companies towards "EU subjects" should be respected.