Call recording under the General Data Protection Regulation (GDPR): A UK legal perspective
Organisations are increasingly looking to record calls for compliance, dispute-resolution, training and quality control reasons. In some sectors, such as financial services, there are specific legal requirements to do so.
The GDPR will apply because recording calls will generally result ‘personal data’ and, potentially, so-called ‘special categories’ of personal data being obtained.
In essence, organisations can record business calls that involve personal data if the legitimate business needs of the organisation which lie behind such recording outweigh any adverse impacts for the individuals in question.
Organisations can also record calls that involve personal data if that is necessary for compliance with a legal obligation.
However, if there is a viable option for ensuring that only business calls are recorded, then an organisation that nevertheless adopts a blanket recording policy for the purposes of recording business calls under which personal calls are also inadvertently recorded may well be contravening the GDPR.
Further, personal calls will be likely to involve special category personal data, and it will generally be very difficult for organisations to justify collecting such data under the GDPR (whether by obtaining explicit consent, or otherwise).
The GDPR’s ‘right to be forgotten’ will not operate to require the erasure of call recordings if the organisation in question is legally required to make and retain them.
In all other cases, right to be forgotten requests are likely to cause resource and other difficulties for organisations that record calls, although those difficulties will be lessened if the organisation has taken steps to avoid recording personal calls.
Similarly, if an organisation records calls, then right of access requests under the GDPR should in general be somewhat easier to navigate if steps have been taken to avoid recording personal calls.