Data Privacy - If You Collect It, Protect It - Call Recording

Data Privacy – If You Collect It, Protect It

Data Privacy Day, started in 2008, is upon us. It’s an ideal time to assess the data that you’ve collected, who owns it, and what you should do with it. 

Call Recordings: Who Owns My Data? 

Every time a call recording is made, the recording itself is stored in a data center. If you’re using a hardware recorder, it’s probably stored locally in your own storage. When you use a cloud recorder, like Atmos, the data is redundantly backed up in the cloud. But who really owns it? Logically, it’s your recording, and you made it; it should be yours. But with data, the ownership line is a blurry one. 

Why Do I Need To Own My Call Data?

When your call recording solution also manages your call data storage, it’s wise to ensure you won’t be denied access to your data based on who owns the storage facilities. When it comes to laws like GDPR, your customers can demand that you produce or destroy recordings you’ve made of their interactions with your company over the phone. Several compliance laws support a customer’s right to their data and, more importantly, the right to be forgotten. 

What happens when the company storing your data doesn’t guarantee your right to ownership unless you upgrade your account to include a higher level of account status? You could face steep fines that increase until you’ve successfully produced or destroyed the data in question. 

Be The Data Controller

While the average customer never reads EULAs, your legal department should always review them because these digital agreements, usually signed in haste with a click, are where you find out if a company is on your side or, well, not exactly trustworthy.

Your recording platform should be a service

Let’s take the way CallCabinet handles our customer recordings in regards to ownership. We’re a B2B company and you’re our customer. We provide you the means to record your customers, but we act solely in the capacity of a data processor or service provider. As such, we have no right to sell, reveal, play back, or delete your recorded data. You, our customer, are the data controller which puts the proper legal distance between our company and your customer, which protects you and them.

Ideally, your call recording company should have nothing to do with the destiny of your customer data. Meaning, when a customer demands you produce or delete data, your company is in control of the process, which is, in and of itself, a compliance requirement in many instances. 

Compliance and safety: keep your calls in the Cloud

Losing any of your customer data, especially to data thieves, is a violation of their privacy as well as a compliance failure. Controlling your data doesn’t just include satisfying a customer’s demand to be forgotten or to have their data given to them for review. Your company employees are on those calls, too. When a call or series of calls is involved in a dispute, you need a way to encrypt and safely move the data to review it. 

Storing call audio locally comes with its own set of data loss and privacy violation risks. Moving unencrypted data, especially across states or countries, can violate some laws (and result in fines).  

CallCabinet recommends a 2-layer solution: 

  • All call audio is recorded directly to the Cloud (or at least stored there after recording) 
  • The storage process should always start with encryption

Using 256-bit military-grade encryption makes even lost data useless to data thieves and keeps critical data (especially customer PCI data) safe. 

Data retention periods should be your decision

Another issue that can cause a problem is the amount of time a recorded call remains in storage, known as a data retention period. That is, unless you are the data controller as in the scenario discussed previously. However and wherever your call data is stored, to remain compliant with laws like MiFIDII and Dodd-Frank, you need to have total autonomy over your data’s storage retention. 

This is not an issue when you’re the data controller because you will have defined retention lengths with your recording service provider at the outset of your service. However, when you manage the recording service separately from the storage plan (e.g. one company records, another company provides cloud storage), be aware that if your storage service has its own retention policies, you could wind up in violation of some compliance laws if your data gets deleted. 

Data Privacy Protects Us All

Investing time to learn more about data privacy is essential to staying compliant, protecting your customers, and avoiding fines. If you’d like to learn more about how to keep your call data private and industry-compliant, reach out to us today.


CallCabinet-Blog-Author-Brian-Gocher
Brian Gocher
Brian is a freelance technology writer and media editor based out of Central New Jersey. He’s logged 20 years of experience in the Telecom industry and side-hustles in the record industry. Brian started his career in technology at a company that made analog modems. He migrated to a marketing career in the call recording industry where he learned exactly how and why calls are monitored for quality assurance. These days Brian fuses his skills together to deliver his researched observations about telephony and compliance laws in polished articles and videos. He’s also composed the music for a long list of big Hollywood trailers. He does not miss the sound of analog modems but he is endlessly fascinated with phones.