The Impact of GDPR and Opportunities for the Channel

Tollring sees the adoption of the General Data Protection Regulation (GDPR) as an evolution of data protection rather than a revolution.

The need for consent underpins GDPR.  Applying to any organisation that does business with the EU, GDPR regulation is focused on the rights of the individual, including; the right to be ignored, to be forgotten, to be informed and the right to access / obtain or rectify personal data.

Businesses wishing to record data will be required to actively justify legality, by demonstrating that the purpose fulfils any of six conditions, including; consent given by all parties, to fulfil a contract or legal requirement, to protect the interests of participant(s), to exercise official authority or the legitimate interests of the recorder.

This means that businesses who use call recording need to draw up specific policies and procedures outlining which of the processing conditions they believe applies to them and, where necessary, explain how they will gain consent from participants.

Some of these conditions will apply specifically to certain uses of call recording in certain sectors.  In the financial services sector, for example, they are fulfilling a legal contract to record calls leading up to a transaction, as required by the FCA under MiFID II.  Emergency and security services will be exercising official authority to record calls and it is in the interest of public protection.

For general business call recording, the options are to gain consent or to justify call recording as being in the legitimate interests of the recorder.  However, as the ‘legitimate interests’ of a business are unlikely to outweigh the interests of personal privacy under the new regulations, realistically that only leaves gaining consent from all participants as a necessary requirement.  Businesses must therefore look at how consent is provided and how this consent can be captured for audit purposes.

GDPR needs to be considered by every business within the EU and every business that does business with the EU.

It is the role of companies like Tollring, acting as a Processor, to provide the necessary information, tools and facilities to help the channel and their end users to meet GDPR compliance and to be able to prove that the rights of individuals are being protected.  It should be noted however that no software solution can itself be ‘GDPR compliant’ – it is up to channel partners to understand how each of their solutions can facilitate compliance, then educate their end customers on how, in their industry sector, they can use their solutions and services in a compliant way.

The Impact of Brexit

GDPR has direct effect across all EU member states so organisations will still have to comply with this regulation – it does not make any difference that the UK is leaving the EU.  The Directive becomes law in the UK without Parliamentary approval and will therefore remain part of the UK statute book following the UK’s European Union exit.
The Data Protection Bill September 2017 has a few differences to the GDPR, which extend the framework for data processing.  Therefore, it is important for the GDPR and the DP Bill to be read side by side.

Sales Opportunities for the Channel

GDPR offers the perfect excuse for the channel to revisit its entire customer base and educate them on the requirements of GDPR.  The channel can take on the role of the trusted advisor and help customers make the transition to GDPR, explaining how the latest solutions and services can assist customers in making the necessary changes to working practices.

GDPR presents an excellent upsell opportunity for call recording solutions – particularly in SME and vertical sectors.  Some organisations, such as those in the financial sector or emergency and security services, need to record calls to comply with specific regulation or to protect the public interest.  Call recording functionality will need to demonstrate that it meets the criteria laid down in the Regulation including security by design, clear retention, identification and deletion processes for personal data and enhanced user configuration.

Businesses recording calls for general purposes, such as to monitor service levels or for staff training, will be required to actively justify legality.  They will have to gain express consent from all participants and capture that consent.  These organisations will also need to draw up specific policies and procedures outlining the processes that enable them to meet the regulation.

No-One Can Hide!

No-one can hide from GDPR.  All businesses have a responsibility to demonstrate that they have complied with the appropriate technical and organisational measures.  They must maintain relevant documentation on processing activities and adhere to approved codes of conduct. Failure to demonstrate this could result in significant penalties.

Whilst the financial cost of non-compliance may not break a company, the reputational damage of failing to protect customers’ data could be ruinous.

As featured in Comms Business