Call recordings are a frequent occurrence in customer service, but with the advent of GDPR, there are a few things that companies must keep in mind to ensure they remain compliant.
In this blog post, we’ll cover the main conditions under which companies can record customer calls, what they need to do in order to stay compliant while doing so, and what they should be aware of once they’ve recorded a conversation.
We’ll also briefly touch upon why call recordings are helpful for customer support teams and software you can use to record calls without worrying about running afoul of GDPR regulations.
Disclaimer: This blog is for general informational purposes only. It is not intended to be taken as legal advice.
Why record customer support calls?
There are a number of benefits to recording customer support calls:
- They can positively influence CSAT
- They can lower time-to-resolution
- They can bring product and customer support teams on the same page
- They can be used for record-keeping and training purposes
Call recordings can positively influence CSAT
Most customers detest repeating their issue over and over again to multiple agents. Recording their call to share with other agents can prevent them from having to do so, increasing CSAT in the process.
Call recordings can lower time-to-resolution
Call recordings can break down information siloes
Explaining customer issues to higher-level support agents or product teams can quickly turn into a game of telephone, with the issues being described more inaccurately the longer the chain. Sharing and recording customer calls completely eliminates this issue.
Call recordings can be used for record-keeping and training purposes
Call recordings can and should be used for QA and training purposes. They can be helpful in isolating and analyzing issues and evaluating agent performance. They can also be used for record-keeping purposes and be referred back to in case the need arises.
GDPR and call recordings: the rules
Since customer call recordings contain personal information, they are covered by GDPR. Companies must meet certain requirements in order to legally record and store customer calls, including:
- Obtaining explicit consent
- Explaining why the call is being recorded
- Processing and storing the call according to GDPR regulations
- Complying with Data Subject Rights requirements
- Complying with retention rules
Obtaining explicit consent
Before the advent of GDPR, it was sufficient to include a message stating that the call was being recorded and assume that the caller had given consent if they chose not to hang up. However, implied consent like this is no longer enough. Your customer support agents now must get explicit permission to record the call once they are speaking with a customer.
Explaining the purpose and manner of the recording
Prior to GDPR, companies didn’t have to go into specifics about the purpose of the call recording. They could simply state that the call was for training purposes and leave it as that, even if it was being used for something else entirely.
After GDPR, calls need to meet one of the following conditions before they can be recorded:
- All participants have consented to the recording for stated and specific purposes.
- The recording is needed to fulfill a contract that the participants on the call are party to.
- The call must be recorded to fulfill some legal requirement on the part of the business.
- The recording serves the purpose of protecting the vital interests of a participant or another person.
- Recording the call is in the public interest or for official purposes.
- Recording the call is in the legitimate interest of the business or a third party (as long as this doesn’t override the interest of the other participants on the call).
Companies also need to explain when, where, and how the call is being recorded.
Processing and storing the call according to GDPR
Any personal data that is collected and processed about citizens or residents of the EU needs to be stored on EU servers or within a jurisdiction that has similar levels of protection.
Complying with Data Subject Rights requirements
If you record customer calls, you must also comply with Data Subject Rights requirements. These rights can include the following:
- Request information about data stored by the company
- Correction of inaccurate personal data
- Deletion of data
- Restriction of data processing if deletion is not yet allowed due to legal obligations
- Data transfer
- Objection to processing
- Withdrawal of consent
If a caller requests a copy of the recording, requests data to be deleted, or requests any other Data Subject Right, you must process the request within 30 days.
Complying with retention rules
Call recordings must be stored securely and encrypted. Access must be limited to certain parties and call recordings may not be shared with third parties unless explicit consent is given.
Companies much also securely store and transfer data with adequate technical and organizational measures.
What happens if you don’t comply with GDPR requirements?
Businesses can face warnings, reprimands, and orders to comply if they fail to comply with GDPR. They can also be fined. Fines can be as big as €20,000,000 or 4% of a company’s revenue, whichever is greater. Customers whose data was improperly collected or handled can also hold you liable for damages.
The best way to record customer support calls while staying complaint
Using a platform like Fullview to record customer calls for customer support is a great way to cover all your bases as far as compliance is concerned. Here’s why:
- Fullview is GDPR compliant and all data is stored securely on EU servers
- Fullview is based in the EU and headquartered in Copenhagen, Denmark
- Fullview automatically blurs out all GDPR-sensitive data — likes addresses, and payment information, for example — during session recordings and cobrowsing.
- Additionally, you can customize other kinds of data that you want to blur out during video call recordings and user session replay recordings.
- Fullview offers a Data Processing Agreement to all European customers.
- All of Fullview’s data is securely stored with Amazon Web Services on EU servers (located in Germany) which is fully automated and monitored by continuous functional tests to detect any sort of downtime.
- All user data is stored using Amazon Cognito. Amazon Cognito provides authentication, authorization, and user management for web and mobile apps. Data within Amazon Cognito is encrypted at rest in accordance with industry standards. Amazon Cognito is compliant with SOC 1-3, PCI DSS, and ISO 27001. It is also HIPAA-BAA eligible.
- Our SSL connection encryption maintains an A+ grade from Amazon Web Services.
Wrapping things up
Running afoul of GDPR has serious consequences for businesses operating in Europe. By following best practices like getting explicit consent, explaining the purpose of the recording, and complying with Right to Access and Right to Forget requirements, businesses can ensure they are doing things the right way. Additionally, using GDPR-compliant software like Fullview can also help you stay compliant without the hassle.