The Impact of GDPR

on Tollring Partners and Customers

General Data Protection RegulationAnd The need for consent

Tollring sees the adoption of General Data Protection Regulation (GDPR) as an evolution of data protection, rather than a revolution.  GDPR specifically affects Tollring partners and customers that require us to process data from EU jurisdictions or EU citizens’ personal data processed outside the EU.

The Right to be Ignored

The Right to Rectification

The Right to be Forgotten

The Right to Data Portability

The Right to be Informed

The Right to Object

The Right of Access

Rights on Automated-Decisions

Our Continued Focus on Data Protection

The preservation and protection of private data has been core to our products for over a decade and this has been recognised through our early adoption of the Data Protection Act (DPA) requirements and the acquisition of our ISO9001 and ISO27001 certifications focusing on Quality and Information Security.  Please refer to our data protection policy for further details.

We will continue this focus by facilitating GDPR compliance, through security by design, without diminishing the Tollring products you enjoy today.

Call Analytics, Call Recording and GDPR

Tollring provides call analytics and call recording solutions that are sold via Service Provider Partners. We record calls and capture personal data as part of our service. We need to make sure that we provide the necessary tools to our customers, to enable them to meet their compliance obligations. We also need to make sure that where we, as Tollring, store call recordings and personal data, that these meet all necessary compliance and security obligations.

Businesses wishing to record data will be required to actively justify legality, by demonstrating the purpose fulfils any of six conditions:

People involved in the call have given consent to be recorded

Recording is necessary to protect the interests of one or more participants

Recording is necessary for the fulfilment of a contract

Recording is in the public interest, or necessary for the exercise of official authority

Recording is necessary for fulfilling a legal requirement

Recording is in the legitimate interests of the recorder, unless those interests are overridden by the interests of the participants in the call

Our Approach to GDPR

Tollring offers efficient reliable products which maintain the regulatory environment created by GDPR.  Upgrades are available across all of our solutions to provide our users with the ability to meet their GDPR compliance.

Tollring has introduced strong functionality accessible to authorised users via a new compliance centre in iCall Suite.  Product enhancements do not just focus on call recording but also add benefits for our call analytics-only users.  Features include:

  • Filterable Audit Reporting, allowing audit data to be exported on usage, deletions and changes.
  • CLI Masking (within reporting data), to satisfy those customers that do not wish to appear on unreturned missed call lists.
  • Extension Archiving, for complete accuracy on call activity reporting following extension reallocation.
  • Definable Call Recording Policy Rules; by department, by call direction, whitelisting (for legitimate call recording which does not require consent) and blacklisting (where consent has not been granted).
  • Compliance Dashboard, containing key compliance metrics (filterable by date), such as percentage of calls rejected (not recorded), total call recordings deleted and pending deletion and total call recordings paused and resumed for PCI DSS compliance purposes.
  • Call Recording Deletion; depending on deployment method, call recordings can be deleted in line with a specified business policy, either individually or in bulk.

Please note that compliance features vary across products and across deployment methods, due to the nature of technology differences.

Penalties for Non-Compliance are High

As one lawyer put it; “If the financial cost of a breach doesn’t put you out of business, the reputational damage will.’

The new accountability principle stipulates that a Business or Entity has a responsibility to demonstrate that they comply with the principle by:

  • Implementing appropriate technical and organisational measures that ensure and demonstrate they comply
  • Maintaining relevant documentation on processing activities
  • Implementing measures that meet the principles of data protection by design and default
  • Adhering to approved codes of conduct and / or certification schemes

Under GDPR regulations, failure to demonstrate this could result in penalties so it is important that we as a Processor, can clearly demonstrate our processes in order that users of our products can incorporate these in their compliance procedures.