From 25th May 2018, the General Data Protection Regulation (GDPR) will replace the Data Protection Act 1998 (DPA) and will bring significant changes to the ways that companies must store and process their personal data. The GDPR is designed to set clear rules for businesses when they collect and store personal data, it also allows everyone to have complete power over their data, and to fully understand their rights. The new regulation was created as a reaction to increased internet usage and sales of personal information, allowing consumers more power over their personal data.
The new law will bring data protection in the UK in line with the rest of the UK and nothing (not even Brexit) will stop it – So it is best to start preparing now! Businesses must have strong policies in place to avoid scrutiny and potential fines. This article highlights some of the key elements of the GDPR, and the best practice for companies.
What is meant by ‘Data’?
An individual’s personal data can relate to their name and address, but can also include fingerprints, DNA, recorded calls, date of birth and now has become more stringent, including any information that can be traced back to a single person. All of this information will be covered and protected by the GDPR.
What are the new GDPR principles?
GDPR is generally similar to DPA, however, the compliance is dependent on how much and the type of data stored by the business. In short – the more data collected and processed by your company, the more compliance is required under GDPR.
You must, however, still afford privacy protection, notification and consent and protect the information by secure storage, regardless of your business’s size. GDPR places a larger focus on protecting an individual’s rights about their data, therefore when companies collect and process the data, they must also justify the legality of it.
How does this affect recording phone calls? And how can I ensure I am doing this legally?
To ensure that any phone call that is being recorded is done so legally, you must comply to the following conditions:
Receive consent from the individual(s) in the phone call to record.
Justify the necessity of the recording, i.e. to fulfil a contract, or for legal requirements.
It is necessary to protect the interests of one or more participants.
The recording is in the public interest, or necessary for the exercise the official authority.
It is in the interest of the recorder, only overridden if they conflict with the interest of the participant of the call.
Should call recording be used to monitor customer service, the first condition must be followed to ensure compliance. However, this reason can be outweighed by the fifth policy, as it could be argued that quality assurance of staff is les important than the interest of privacy.
Under the DPA, when a recording takes place the individual must be informed of the purpose and how the information will be processed. If the participant continued the call consent was assumed, and this was acceptable and common practice. But, how does this change under the new regulation? The GDPR implements tighter regulations, meaning implied/assumed consent is no longer enough. There must be express consent given, either by recording verbal consent or having AI terminate the call if consent is not given.
Rights to Access Data Have Also Changed
Individuals now have the right to access any stored information relating to them, businesses will need to identify, retrieve and provide a copy upon request. Therefore, companies must construct an efficient method of providing this information on demand. In addition, should any individual request their information to be deleted, this must be completed with immediate effect.
As with any new policy, any changes must be coordinated with the IT and call recording provider to ensure its possibility.
The new ‘Principle of Accountability’ requires companies to demonstrate compliance to the new rules of GDPR, the GDPR also stresses that data protection systems should be implemented with immediate effect and not implemented over a set period of time. Therefore, a realistic policy that staff and providers can fulfil should be implemented. Creating a 200-page policy for example would not be beneficial for compliance, and makes it more difficult to prove you are fulfilling the policy.
To successfully demonstrate this, policies and protocols will need to be drafted and staff will need to be trained to be made fully aware of new processes and provisions. This will need to be carefully managed to ensure compliance, and should there be any breach of data privacy companies are required to inform both the data subject and regulators.
What Are the Penalties?
The new policies bring new punishments for lack of compliance. Under the DPA, organisations could be fined up to £500,000 should they deviate from the rules. Under the regulations of the GDPR fines can range from 2-4% of global turnover, depending on the severity of the case. These new fines are designed to deter non compliance and have a huge impact on those who do not follow the rules – So it is important to act now!
What should your lawyer do to help?
We believe that the best place to decide what improvements and changes need to be made you must have a full understanding of your business, its operations and what data you really need to be collecting. Any policy that is created should be bespoke on a client by client basis, decided by what can be realistically achieved by the company. Talking to your providers will also help you see whether you are compliant by the time GDPR comes into effect.