Live Call Anytime and GDPR
We apologise for the delay in clarifying the situation with Live Call Anytime and GDPR.
GDPR Guidance says ‘Controllers are liable for their compliance with GDPR and must only appoint processors who can provide ‘sufficient guarantees’ that the requirements of the GDPR will be met and the rights of data subjects protected’.
We have customers using Live Call Anytime in lots of different ways so we have given some scenarios below of who we believe is who and what should happen to give you a guide.
Before that, as we understand from legal advice sought:
- Opex Hosting is the Data Processor recording, processing and storing the data.
- The business who holds the data e.g. phone details when using Live Call is the Data Controller – this for the most part is a trainer’s customer – or it could be a telemarketing company’s customer.
- PhoneCoach is a Facilitator between The Data Controller and the Data Processor. We don’t hold any data or use it. We are a ‘broker’ between you and give you the number to make the calls, and then delete them at the end. The ICO does not have a term for this role so we are calling ourselves a Facilitator. The only time we get involved with the data is when we occasionally listen to calls when troubleshooting queries.
- A trainer who works with their customer and listens back to their staff’s calls and coaches them is also a Facilitator.
Here are some of the ways Live Call is used by our customers and we believe you will fit into one of these categories
There are different types of customer for Live Call usage and so that means you will have different responsibilities.
Scenario A – you are a trainer and you give the Live Call number to your customers’ staff to make calls which you then listen back to either in a group situation or one to one
In this case the Data Controller is the one who has the data e.g. the phone numbers in this case so it is the ‘end customer’ whose staff make outbound calls.
The Processor/Sub Processor is Opex Hosting who stores the data on their servers.
The Facilitator is you, the trainer in this case who goes in to help the staff in the business improve their telephone skills. You don’t own or handle the data.
PhoneCoach is also a Facilitator as it doesn’t handle the data either and is simply a ‘broker’ of the data.
GDPR has not recognised the position of a Facilitator in this context and our legal adviser has said that the ICO have not taken into account this kind of role.
Scenario B – telemarketing companies
The Data Controller is still the end customer who you are working on behalf of.
The telemarketing company can be seen as a processor as you are making the calls and possibly altering the data to update it, or grade calls/ give feedback. You will need a processing agreement of some kind between you and your customer on how you are handling their data. Again we would advise that you have something in your policy that they sign that covers off the fact that they either have consent or there is legitimate interest in calling the contacts. If it is a mystery shopping call you will be calling their own company so there will be consent but make sure your client confirms this.
PhoneCoach is a Facilitator.
Scenario C – a trainer who uses the service for ‘role-playing’ calls, no live calls involved.
You are a trainer who just uses Live Call for ‘role-playing’ purposes and no live calls are involved. This assumes you are not using actual real people’s phone numbers or information, and have made up scenarios for the calls.
There is nothing you need to do at all.
Scenario D – a trainer who makes live calls to customer’s contacts in a training room
You are a trainer who makes live calls personally when in a training room to a customer’s database to demonstrate how to make a call.
In this case you need to put something in writing that you are assuming implied consent from their own contacts that calls can be made and recorded. This should be via their GDPR policy. The onus is on your customer.
Your customer is still the data controller.
Opex is still the processor.
You are a processor in that you are handling the data but if it is in the training room in front of a group then it really is pushing the term processor. You really are more a Facilitator.
PhoneCoach is a Facilitator
In ‘black and white’ terms prospects should be advised they are being recorded to gain consent, however we have been told by legal people that prospecting GDPR regulations is very much aimed at those people who make lots of nuisance calls to people, particularly consumers, lots of out of hours calls, hound people etc and is not aimed at the majority of genuine professional businesses who simply want to make a living and are mindful of not hassling people
Many contact centres we have been told will continue to call prospects where they believe there is a legitimate interest for the person they are calling in their product or service. Otherwise businesses large and small are going to go out of business!!
If you are prospecting then you need to be a business which is
- making calls 9-5,
- calling people not on the telephone preference service,
- offering a service/product where the prospect could have a legitimate interest in it to improve their own business
- Which deletes that person’s information if they request it.
- Which offers an unsubscribe option always on emails.
In other words, being reasonable about how you use the data you already have.
It is about keeping your lists up to date and not using ancient mailing lists.
It is making sure you always offer the option to unsubscribe in email communications.
BACKGROUND TO THE NEW GDPR RULES THAT RELATE TO PHONE CALLS
Companies that record telephone calls need to make sure that they have a legal basis for collecting and processing personal data that may be contained therein. They will have to actively justify the capture of conversations and put consumers rights ahead of their organization otherwise the recording could be deemed unlawful. Also, they should comply with all of the other aspects of the GDPR based on that lawful reason. This may include individual rights of access, challenge, amendment and erasure, security and notification of breaches.
There are clearly a number of situations where call recording is deemed lawful, examples include financial institutions that are required by law to record all calls, emergency services calls are in the interest of public protection and there are other sector-specific regulations.
But from 28th May onwards, the magic phrase “calls are recorded for training purposes” may not be sufficient justification without the caller’s consent. Businesses need to look at how they change their processes (and possibly technologies) to better support the data protection regulations.
Businesses wishing to record calls will be required to actively justify legality, by demonstrating the purpose fulfils any of six conditions:
- The people involved in the call have given consent to be recorded
- Recording is necessary for the fulfilment of a contract
- Recording is necessary for fulfilling a legal requirement
- Recording is necessary to protect the interests of one or more participants
- Recording is in the public interest, or necessary for the exercise of official authority
- Recording is in the legitimate interests of the recorder, unless those interests are overridden by the interests of the participants in the call
For general call recording, for example to monitor service levels or for staff training in a contact centre, the options left to businesses will be numbers one or six. And as the ‘legitimate interests’ of a business to evaluate customer service are not always likely to outweigh the interests of personal privacy under the new regulations, realistically that may only leave gaining consent.
The following information is via the ICO which says
What are the rules on making live calls?
- The rules on live marketing calls are in regulation 21. In short, you must not make unsolicited live calls to:
- anyone who has told you they don’t want your calls; or
- any number registered with the TPS or CTPS, unless the person has specifically consented to your calls – even if they are an existing customer.
- You must always say who is calling, allow your number (or an alternative contact number) to be displayed to the person receiving the call, and provide a contact address or freephone number if asked.
- You can also make live calls to any business number that is not registered on the TPS or the CTPS, but only if they haven’t objected to your calls in the past.
Our legal advice has been that calls that are business to business will more reasonably fall under legitimate interest than if you are phoning a consumer at home.
Going forward our interpretation of GDPR is that:
- Live Call can continue to be used to call customers and lapsed customers BUT that the Data Controller (usually the business you are working for in this case) has consent to call them or if they feel there is a legitimate interest in calling them.
- That when making prospecting calls the Data Controller is clear that the call falls under 1 or 6 above, that the business is not on the telephone preference service, and that their details will be deleted if asked.
- Live Call can still be used for ‘role-play’ i.e. calling from one delegate to another.
Some of the Technical and Organisational Data Protection Measures which we are expecting to be confirmed by Opex Hosting shortly
The following are the technical and organisational data protection measures:
- The Data Processor shall ensure that, in respect of all Personal Data it receives from or processes on behalf of the Data Controller, it maintains security measures to a standard appropriate to:
- the harm that might result from unlawful or unauthorised processing or accidental loss, damage, or destruction of the Personal Data; and
- the nature of the Personal Data.
- In particular, the Data Processor shall:
- have in place, and comply with, a security policy which:
- defines security needs based on a risk assessment;
- allocates responsibility for implementing the policy to a specific individual (such as the Data Processor’s Data Protection Officer) or personnel;
- is provided to the Data Controller on or before the commencement of this Agreement;
- is disseminated to all relevant staff; and
- provides a mechanism for feedback and review.
- ensure that appropriate security safeguards and virus protection are in place to
- prevent unauthorised access to the Personal Data;
- protect the Personal Data using pseudonymisation, where it is practical to do so;
- ensure that its storage of Personal Data conforms with best industry practice such that the media on which Personal Data is recorded (including paper records and records stored electronically) are stored in secure locations and access by personnel to Personal Data is strictly monitored and controlled;
- have secure methods in place for the transfer of Personal Data whether in physical form (for example, by using couriers rather than post) or electronic form;
- password protect all computers and other devices on which Personal Data is stored, ensuring that all passwords are secure, and that passwords are not shared under any circumstances;
- not allow the storage of the Personal Data on any mobile devices such as laptops or tablets unless such devices are kept on its premises at all times;
- take reasonable steps to ensure the reliability of personnel who have access to the Personal Data;
- have in place methods for detecting and dealing with breaches of security (including loss, damage, or destruction of Personal Data) including:
- the ability to identify which individuals have worked with specific Personal Data;
- having a proper procedure in place for investigating and remedying breaches of the GDPR; and
- notifying the Data Controller as soon as any such security breach occurs.
- have a secure procedure for backing up all electronic Personal Data and storing back-ups separately from originals;
- have a secure method of disposal of unwanted Personal Data including for back-ups, disks, print-outs, and redundant equipment; and
- adopt such organisational, operational, and technological processes and procedures as are required to comply with the requirements of ISO/IEC 27001:2013, as appropriate to the Services provided to the Data Controller.
- have in place, and comply with, a security policy which: