From 25 May 2018 the Data Protection Act 1998 (DPA) will be replaced by The General Data Protection Regulation (GDPR), and it will bring important changes to the ways data is stored and processed by businesses. The introduction of GDPR is designed to set clear rules for businesses to follow when collecting and storing personal data, it also allows everyone to understand their rights in relation to the information held about them. The new regulation was created as a reaction to increased internet usage and sales of personal information, allowing consumers more power over their personal data.

The new law will bring data protection in the UK in line with the rest of the UK and nothing (not even Brexit) will stop it – So it is best to start preparing now! Your business must have strong policies in place to avoid scrutiny and potential fines. This article will highlight some of the key elements of the GDPR, and the best practice for companies.

What are the new GDPR principles?

The general framework of GDPR is similar to DPA, and the level of compliance is dependent on how much, and the type of data collected. In essence – the more data collected and processed by your company, the more compliance is required under GDPR.

You must, however, still afford privacy protection, notification and consent and protect the information by secure storage, regardless of your business’s size. GDPR places a larger focus on protecting an individual’s rights about their data, therefore when companies collect and process the data, they must also justify the legality of it.

What is meant by ‘Data’?

An individual’s personal data can relate to their name and address, but can also include fingerprints, DNA, recorded calls, date of birth and now has become more stringent, including any information that can be traced back to a single person. All of this information will be covered and protected by the GDPR.

How does this affect recording phone calls? And how can I ensure I am doing this legally?

If you record phone calls you must fulfil any of the following conditions to ensure you are doing so legally:

  1. Receive consent from the individual(s) in the phone call to record.
  2. Justify the necessity of the recording, i.e. to fulfil a contract, or for legal requirements.
  3. It is necessary to protect the interests of one or more participants.
  4. The recording is in the public interest, or necessary for the exercise the official authority.
  5. It is in the interest of the recorder, only overridden if they conflict with the interest of the participant of the call.

When a business is using call recording to monitor customer service, they are still left to fulfil the first condition to be fully compliant. The fifth condition may also apply as it could be argued that staff quality assurance outweighs the interest of privacy.

So, what does this mean should you want to continue recording phone calls? Under the DPA, when a recording takes place the individual must be informed of the purpose and how the information will be processed. If the participant continued the call consent was assumed, and this was acceptable and common practice. The GDPR implements tighter regulations, meaning implied/assumed consent is no longer enough. There must be express consent given, either by recording verbal consent or having AI terminate the call if consent is not given.

Rights to Access Data Have Also Changed.

Individuals will now have absolute access to any information stored about them, and this will need to be identified, retrieved and provided to them upon request. Therefore, as a business you must implement a an efficient method of doing this upon request. In addition, should the individual request to have your details removed you must do so with immediate effect. Any policies that are put into place to ensure this is done must be co ordinated with your IT and call recording provider to ensure you can fulfil your claims.


Business must be able to actively display their compliance to the new rules under the ‘Principle of Accountability.’ The GDPR stresses the importance of implementing data protection systems with immediate effect. Creating an extensive policy is not going to be useful if your staff and providers are not going to be able to fulfil the obligations. Having an honest and realistic policy will be most effective, and will be easier to demonstrate should you need to prove fulfilment.

In order to implement any policy effectively there are several steps that must be completed. Including, drafting policies and protocols, and training staff to make them fully aware of the new provisions followed by careful management and implementation.


Along with the new policies implemented there are also new penalties designed to deter and punish organisations committing further breaches. Under the DPA, organisations could be fined up to £500,000. However, under the new GDPR fines can range from 2-4% of global turnover, depending on how severe the case was. These fines are designed to have a large impact on non-compliant companies, therefore it is important to act now.

By Karen Holden, Founder, A City Law Firm