Most businesses these days have a phone call recording policy. Many of them, however, are still unclear about what aspects of call recording are legal. This lack of clarity can have potentially damaging financial, legal and reputational consequences.
From regulatory compliance and dispute resolution to training and quality control, businesses have different motivations to record its employees’ phone calls. Such recordings are governed by a number of regulations, many of which are aimed at regulating the financial services sector.
In particular, business call recording must adhere to the Data Protection Act 1998 (DPA) and the Regulation of Investigatory Powers Act 2000 (RIPA).
The DPA applies because call recording generally results in a business obtaining personal data on someone, while RIPA places limits on when telephone calls can be made. Automated recordings of phone calls generally contravene the regulations unless there is explicit consent from all parties.
>See also: What Brexit and Trump mean for compliance
For the purposes of DPA compliance, personal data collected includes information about identifiable individuals, such as a home address. Further sensitive personal data would include information about someone’s ethnicity, religious beliefs, or mental and physical health.
So it’s easy to see how business call recording can frequently capture personal data. If personal calls are also included in a company’s call recording policies – it’s even more likely sensitive personal data will be captured.
Former barrister and data protection and privacy expert Ben Hooper said that “business calls may be recorded without contravening the DPA if the benefits of recording outweigh any adverse impacts and if appropriate steps are taken to satisfy other data protection requirements that apply”.
In practice, however, businesses often allow their staff to make personal calls on company devices or at least turn a blind eye to such calls.
Hooper suggests that while this may be very convenient for employees, it raises the possibility of “significant compliance issues”.
If, for example, there is a viable option for a business to ensure only business calls are recorded and personal calls remain private, a blanket recording policy for all calls may well contravene the DPA and expose the business to reputational damage, fines and other legal challenges.
It is therefore essential a business has clear call recording policies to avoid falling foul of data protection regulations.
>See also: Change is coming: the GDPR storm
Call recording regulations for financial services businesses are also going to tighten massively in the near future. The revised Markets in Financial Instruments Directive (MiFID II) comes into force in January 2018 and it will regulate the financial services sector with a new, much stricter set of rules around call recording.
The regulation will also be applied more widely than the current requirements for recording phone calls, which apply to about 30,000 City traders.
Instead, MiFID II will apply to all firms that provide financial services to clients whose business is connected to ‘financial instruments’. This includes shares, bonds, units in collective investment schemes, commodity trades and derivatives, as well the venues where those instruments are traded. MiFID II also includes anyone in the advice chain that may lead to a trade, so the number of individuals falling under the regulation could go up tenfold, to 300,000 in the UK alone.
It also includes premises in which these calls or conversations take place, and requires that all “communications that are intended to lead to a transaction” be recorded and retained. Recordings will also need to be stored for longer – for a minimum of five years against the six months currently required.
MiFID II also introduces more robust rules around how businesses should record and store their conversations. It requires all records be kept in a durable medium that allows them to be replayed or copied but which prevents the original being altered or deleted.
Orders placed by clients must be made in a durable medium such as mail, fax, email or audio recording of client orders made at meetings.
MiFID II also states that businesses must ensure the quality, accuracy and completeness of these records, and they must be stored in a medium that is accessible and readily available to the FCA on request. Under MiFID II businesses will also need to review their recordings from time to time to ensure compliance.
>See also: What are US companies’ view on GDPR?
Moreover, the new European General Data Protection Regulation (GDPR) comes into force at shortly after MiFID II, in May 2018. The GDPR will supersede national laws such as the DPA and strengthens the protection given to individuals on the data held about them.
The GDPR will require firms to pay attention to recording of conversations in the context of data privacy. Businesses will face greater penalties for data misuse under the GDPR – from the current maximum of £500,000 to potentially 4% of worldwide turnover. And remember that the UK’s eventual departure from the EU will have no impact on any of this legislation. if your customers are in the EU – you must comply.
Businesses will need a comprehensive view of their compliance across all channels – phone, email, SMS and in person – to meet these new regulations. They will need to demonstrate the policies, procedures and management oversight of the MiFID II recording and monitoring rules are in place.
Non-compliance is serious – in both the financial sense, and the sheer amount of time it takes to resolve if a business is found to be at fault.
The good news, with respect to both MiFID II and GDPR, is that compliance is still achievable – in time – if firms take action today.
Sourced by James Foley, head of customer experience for Resilient