GDPR has been about since May 2018, despite the UK is not now being a member of the EU, there are no great changes to data protection principles falling under UK data protection law.
In the UK the GDPR The Data Protection Act 2018 (DPA) controls the use of people’s personal information. With this in mind, when using your VoIP system, you must adhere to strict data protection rules. These state the use of personal data must be:
Appropriate security of personal information includes protection from unauthorised processing or unlawful access, loss, damage or destruction.
It is vital to have a clearly defined set of data protection procedures, which you can demonstrate, and also which cover the use of VoIP.
One of the most important and often used features of VoIP is call recording. If you are going to record incoming customer calls, you need to be able to justify the need to do so legally.
Caller Consent is vital
According to data protection rules, a user or caller holds a very strong position. They need to give their consent for you to collect their data via call recording, and this consent can be withdrawn at any time. In the event you’ve recorded a call and the caller no longer wants you to keep this data, they are entitled to request that you delete it. Where this happens you must comply unless there is a legitimate reason for keeping it.
Examples applying data protection to various conditions listed above include:
In this latter example, it is important that the caller gives their explicit consent and any privacy considerations do not impact upon the need to carry out something officially.
Another area for data protection is triggered when using VoIP to take payment details over the phone.
When you’re using a call recording feature, you need to be sure you aren’t recording someone’s card details should the caller give them over the phone to make a payment. Doing this would be a breach of Payment Card Industry Data Security Standards (PCI DSS) rules.
Ways of ensuring you don’t breach any rules in this situation would be either to pause that calls recording or to transfer the call to a phone that is out width the call recording system. Either way, it makes sense to make sure these functions are included in your VoIP phone system, specifically if your business takes payments from customers over the phone.
Breaching data protection regulations may result in large fines. In 2018, the maximum fine set for non compliance of GDPR and DPA was £17.5 million, or 4% of annual turnover and also reprimands such bans on data processing or suspension of data transfers and ordering the restriction or deletion of data.
There is also reputational damage to consider. If it becomes public knowledge that you’ve breached data protection rules, this can cause serious damage to your reputation and seriously impact your profitability.
The EU GDPR might still apply to your business while you are trading in the European Economic Area (EEA), if you are offering goods or services to individuals within it, or monitoring the behaviour of individuals in the EEA.
If companies within the EEA send you personal data, they must also comply with GDPR when doing this. Learn more about VoIP
Need to know about VoIP?