Back to Blog

3 tips for GDPR-compliant call recording, from an attorney

Preston Thomas

Senior Privacy and Compliance Counsel

Call recording disclosure Header

Congratulations, you’re an international business. Surprised? Don’t be: In the era of GDPR, pretty much everyone is when it comes to privacy law. So whether you’re based in Europe or simply have customers there, take our checkup to make sure your call recording practices will not land you in the merde with European regulators.

Why call recordings?

The classic reasons why a business might record telephone calls are “for training purposes”, to avoid disputes later, or simply to save the participants taking notes during the call.

But with modern AI-based transcription, you can do so much more than just save call audio: with Dialpad Ai Contact Center, for example, you can provide real-time knowledge assists to your agents:

Real time assistance RTA card blog size

… And track things like competitor mentions and adherence to call scripts, and even analyze sentiment to spot trouble in real time…

Single Item Card Sentiment analysis for a list of calls in real time blog size

Your customers are trying to tell you what they want. If you’re not taking advantage of call recording and transcription, you’re leaving money on the table in every call, in teachable moments for agent training, product insights, and risks reduced. So how do you get these advantages while staying compliant? It’s all about setting up a compliant call recording program.

Why call recording disclosure?

In a word: compliance. In two words: trust and compliance. Laws vary from jurisdiction to jurisdiction, but customer trust is key no matter where you are. And trust requires honesty. Many customers have come to expect that calls will be recorded, but you can’t simply assume they know. I’ve addressed call recording disclosure at length in the post “This Call is Being Recorded.” The takeaway: No matter what jurisdiction you’re in if you’re going to record or transcribe a customer’s call, tell them you’re doing it. Not only is it good practice to disclose when you’re recording a customer, it’s the law in many places, and the old country is one.

You’re not in Kansas anymore: All-party consent, all the time

In the kaleidoscope of state law in the United States, you might have heard that some states (like Kansas) are “one party consent” jurisdictions, where it’s enough that only one person knows a phone call is being recorded. But many of the most progressive privacy jurisdictions—such as California, Massachusetts, and Washington—have adopted “all party consent” rules that permit recording only when all parties have been informed. Europe under GDPR follows the same rule.

So along with Constantinople, Pompei, and Czechoslovakia, add “one-party consent” to things you just won’t find in Europe anymore.

Dorothy and friends in kansas

Here’s your guide to staying on the straight and narrow, wherever the road takes you…

Tip 1: Get that yes

You might not have thought about the venerable practice of call recording in light of GDPR, but the Danish Data Protection Authority would like to remind you to reconsider. In a case decided in 2021, the Danish Datatilsynet fined an agency within its own government for recording phone calls without an adequate lawful basis under Article 6 of the GDPR. “Training purposes”? Not a good enough reason to avoid the need for consent. And in Europe, consent means affirmative consent.

So what plays in Peoria doesn’t play in Paris anymore: Unlike US-style recording laws where “implicit consent” is sufficient, merely notifying your European customers that the call is being recorded doesn’t meet the letter of the law under GDPR. Whether it’s yes, oui, si, ja, or the ever-charming joo (Finnish!), you need to get affirmative consent to continue recording.

So, Tip 1 is to update your European call center script and your agent training to make sure you’ve got that affirmative consent. If they agree, great, you’ve got it on record. No consent? Time to stop the recording.

Remember also that GDPR isn’t only about phone calls. We’ve mentioned video meetings, but consider the way you handle email, SMS, group chats, and social media. And if you’re planning to run live transcription for a call or meeting (with Dialpad's Vi, for example), it’s best to make this clear.

As long as you’ve got consent, voice transcription is a great way to make sense of customer interactions. This is a big reason why tech companies like Jungle Disk is so happy with its communications platform:

Outbound call recording disclosure settings in dialpad

Perhaps instead you’ve decided that “fifty million Frenchman *can* be wrong”, and you want to turn off recording and transcription, but only in Europe? We can automate that, too. Dialpad’s exception list feature lets you identify area codes and country codes to automatically skip recording and transcription in your phone conversations. No recording, no notification, no sweat.

Tip 2: Dump the data when you’re done

Customer personal data is not like a fine French wine: It doesn’t get better the longer you keep it. So sayeth Article 5 of GDPR, which lays out the principle that consent for data processing only extends for as long as it takes to fulfill that purpose.. So when considering a call recording or transcription policy, begin with the end in mind: Determine what you need the data for, how long that will take, and when the data will have served its purpose. For instance, if you use call records to analyze a campaign’s performance, you should plan to delete them after that campaign is complete.

A great way to stay on top of data minimization is take advantage of Dialpad’s customizable retention policies to automate deletion of records when you’re done with them. From recordings and transcripts to all personal data, you’ve got control of your data.

Tip 3: Be ready for access and deletion requests

Personal data includes recordings of phone conversations, but also other forms of customer communication and information. Under GDPR, if someone requests access, you have to comply within 30 days. Likewise there’s the famous “right to be forgotten”. Luckily, Dialpad Ai Contact Center makes it super-easy to search for stored recordings and customer details and export or delete them as needed. Dialpad is ready to assist with Data Subject Access Requests (DSAR) through its DSAR Portal.

🔏 Download the AI Compliance Guide

Want to use AI—while staying compliant with regulations? Learn more about what to pay attention to in this guide.

Vive la différence: It’s not going away

Life would be much easier if every country and state had the same rules, but that’s never going to be the case! Love it or hate it, GDPR and privacy law differences between countries are here to stay, so might as well get comfortable and get the right tools for the job, like a business phone system from a reputable company like Dialpad, where you’ll know that your data is secure and you have the features you need to get on with business while staying compliant.

Have EU customers and planning to set up a call recording for your business?

Book a product tour to check out how Dialpad Ai Contact Center’s recording, transcription, and notification tools can automate the process—no technical setup needed.