What the new GDPR regulations mean for businesses that record calls

For all businesses involved in telephone trading, May 2018 is a time to mark in the diary. New EU legislation regarding General Data Protection Regulations (GDPR) is being introduced across all member states – at which point the UK will still be an EU member. Despite the somewhat preposterous possible scenario of the new legislation being introduced only for Britain to leave the EU and potentially scrap the ruling mere months later, it is legislation that all businesses operating in the field need to be aware of and act on.

The key changes

The new GDPR regulations expand on existing regulations of the Data Protection Act. The primary motivation of the DPA was to create a level playing field in terms of the rights of individuals and the rights of companies. GDPR goes a step further in protecting individuals ahead of companies.

Business will need to justify their recording of information along the following lines:

  • All parties involved need to give consent to the call being recorded
  • Recording is a requirement for the fulfilment of a contract
  • Recording is a legal requirement
  • Recording is necessary to protect the interests of one or more participants
  • Recording is in the public interest
  • Recording is in the interests of the recorder, unless those interests are less important than those of the participant

In a departure from current practices, the consent of the individual to be recorded will not simply be assumed. A business will need to justify the call recording under the above categories. Businesses will be required to appoint a Data Protection Officer (DPO) in the same way under current legislation there are requirements for First Aid Trained and Health and Safety staff. Fines for non-compliance will be hefty in the case of a serious breach – businesses could face up to 4% of annual turnover being levied.


Going forwards, businesses will need to justify every call recording under the above categories; any call recording outside of the above points will be considered an infringement of the GDPR as information is not being used for its specified purpose.

As such, businesses will need to have clear dividing lines in terms of when call recording is being undertaken and for what purposes. Personal phone calls made by employees are one such example where none of the above criteria are being followed and a breach could occur if not handled properly.

Having files available for customers to request their information, within reason, will need to be on hand within the organisation.

In short, businesses will need to address the GDPR on two fronts:

  • Training and behaviour: Policies and protocols need to be spread across the organisation to ensure all staff are aware of the changes.
  • Technology: Solutions for storing audio files safely will be required within the business to keep on top of the calls being made.

Any questions? Would you like to act now and prepare your business for GDPR? Contact us!

Subscribe to