From 25 May 2018, the Data Protection Act 1998 (DPA) will be replaced by the General Data Protection Regulation (GDPR). The new regulation will involve some major changes to the way personal data must be collected and stored. Failure to follow the new guidelines and principles of data protection could lead to huge fines so it is important to fully understand the principles and integrate the necessary infrastructure. The government has confirmed that Brexit will not affect the implementation of GDPR and it will impact any business (big or small) that holds personal data, so it is best to start preparing now.
The introduction of GDPR has been designed to set a clear set of rules for businesses to follow when holding personal data. It also gives power to the people the data is about, providing a full understanding of their rights about the data held about them. The GDPR was introduced as a reaction to increased online activity and the sale of personal data, giving consumers more control over what happens to their data.
GDPR will bring data protection legislation in the UK up to the level of the rest of the EU. Businesses must be fully compliant with the new regulations – This article will help you fully understand the new law and avoid any potential fines!
So, what are the new principals under the GDPR?
The general framework of the GDPR isn’t to different from that of the DPA, the level of compliance is dependant on the volume and type of data collected by each organisation. In short, the more reliant your business is on data collection and processing – the more compliance that is required under GDPR. Privacy protection, notification and consent must still be afforded and any data collected must be held under secure storage. The new GDPR regulations places a higher emphasis on protecting the rights of every person, therefore, companies must now justify the legality of the data they are collecting.
What is meant by ‘Data’
Data can be used to describe a range of personal information relating to an individual. It can relate to simply names and addresses, but can also be fingerprints, DNA, recorded calls, date of birth – and now, under the new regulations, includes any data that can relate back to an individual. All information held by you will be covered and protected by the GDPR.
What is the law relating to recording phone calls? How can you make sure you are doing this legally?
Legal compliance can be demonstrated by fulfilling any of the following conditions:
1. The individual(s) involved in the call has consented to the recording
2. The recording is completely necessary, i.e. the fulfilment of a contract or legal requirement
3. The recording is needed to protect the interests of one or more participants
4. The recording is in the public’s interest, or necessary for the exercise of the official authority
The recording is in the legitimate interests of the recorder, unless those interests are overridden by the interest of the participants in the call.
An example of a where a company may record a phone call would be for ‘staff quality assurance purposes,’ when applying this to the above conditions the company is just left to cover the first condition to be protected from non-compliance. Condition 5 may also apply, as it would be difficult to argue that the monitoring of customer service would outweigh personal privacy.
Under the DPA, when recording a phone call the individual must be informed of the recording, the purpose and how it will be processed – implied consent by continuing the call is acceptable and usual practice. The new GDPR regulations will change this to become stricter, assumed consent will no longer be acceptable – the individual must expressly provide consent. This can be done recording verbal consent or having AI in place to terminate the call if there is no explicit confirmation.
The new ‘Principle of Accountability’ requires companies to demonstrate compliance to the new rules of GDPR, the GDPR also stresses that data protection systems should be implemented with immediate effect and not implemented over a set period of time. Therefore, a realistic policy that staff and providers can fulfil should be implemented. Creating a 200-page policy for example would not be beneficial for compliance, and makes it more difficult to prove you are fulfilling the policy.
To successfully demonstrate this, policies and protocols will need to be drafted and staff will need to be trained to be made fully aware of new processes and provisions. This will need to be carefully managed to ensure compliance, and should there be any breach of data privacy companies are required to inform both the data subject and regulators.
Individuals have express access to their data
Individuals now have the right to access any stored information relating to them, businesses will need to identify, retrieve and provide a copy upon request. Therefore, companies must construct an efficient method of providing this information on demand. In addition, should any individual request their information to be deleted, this must be completed with immediate effect.
As with any new policy, any changes must be coordinated with the IT and call recording provider to ensure its possibility.
GDPR also brings new penalties for companies who do not comply with the new regulations, designed to prevent further breaches. Previously companies could be fined up to £500,000, however under the new regime companies could be fined between 2 to 4 per cent of global turnover, depending on the severity of the breach.
Karen Holden is founder of A City Law Firm