The Data Protection Act (DPA) 2018 is a UK Act which updates the old DPA 1998 that complements the EU’s General Data Protection Regulation (GDPR). Under this new data protection regime, personal data must be: processed lawfully, fairly and in a transparent manner; collected for legitimate purposes; relevant for what is necessary; and be kept up to date and in a form that allows identification of data subjects for no longer than necessary.
In order to demonstrate compliance with these key principles, organizations that process personal data of UK residents, including mobile text messages and call recordings, must have a mobile archiving policy and retention schedule in place.
While seemingly complex, there are a few strategies that UK firms should implement to meet the data privacy requirements of DPA 2018. To assist these efforts, we detail in this infographic the key steps for compliant call recording and text message archiving under the new DPA 2018 and GDPR requirements.
1. Ensure You Have Lawful Basis to Capture Mobile Calls and Record Mobile SMS
Before your capture voice calls or record mobile SMS of your clients in the UK, first ensure that you have a lawful reason for holding and processing such data. DPA, in line with Article 6 of GDPR, sets out six reasons to legally collect, use and store personal data:
- Contract obligation –You can hold and deal with the data if you need to use it for a contract that you have with the data subject. For instance, the data subject wishes to subscribe for monthly newsletters and online courses.
- Legal obligation– You can lawfully capture and record phone calls and text messages if you need to comply with the law, for instance, using the data for safeguarding the welfare of adults or children.
- Public task– Retaining and processing personal data is lawful if it will be used for a task that is in the public interest or for an official function.
- Legitimate interest – Retaining and processing of data is lawful if it would be in the interest of the local authority (e., financial regulators such as FCA), the data subject, or any third party. One example of legitimate interest is the retention of investment advisors’ phone calls for fraud prevention.
- Vital interest–Retaining and processing of data may also be lawful if it is necessary to protect an interest which is essential for the life of the data subject. Often applicable to the local authority in its public health task.
- Consent – If none of the reasons set out above apply, you must obtain consent from the data subject. Under the Act and Regulation, consent has to be obtained in a particular way.
2. Determine If It’s Really Necessary to Retain Mobile Calls and Text Messages
Once you have ensured the lawful basis for capturing and recording voice calls and mobile SMS, the second thing you need to do is to determine if the processing is indeed necessary.
Capturing and recording phone calls and text messages with a UK resident is “necessary” if they are vital to carrying out what your organization needs the data for. In the UK financial services sector, for instance, archiving text messages is necessary in order to comply with the electronic communication supervision requirements of MiFID II.
The rationale behind this measure is to ensure that such a process is reasonable and vital enough in order to require for the collection and storage of personal data. In other words, you need to determine if there are other obvious ways of doing such a process without using personal data. If there is none, then it is likely to be “necessary” under the legislation.
3. Ensure Data Security
Data security remains equally, if not more important, under the DPA 2018 and GDPR. The special provision (Schedule 57) of the Act requires data controllers to implement appropriate technical and organizational measures which are designed to:
- Implement the data protection principles in an effective manner, and
- Integrate into the processing itself the safeguards necessary for that purpose.
UK financial and healthcare organizations, as well as public agencies, must ensure that they are implementing data privacy policies designed to educate and train employees on best practices when it comes to protecting customers’ privacy, including:
- Not opening or responding to suspicious emails to avoid a data breach.
- Ensuring the company website exposes no security vulnerabilities for hackers.
- Storing captured and recorded mobile calls, text messages, and other mobile content on secure, WORM format.
- Monitoring any business-related conversations on mobile devices used by employees through an enterprise mobile archiving system.
- Encrypting data sent over the public network.
- Confining access to certain data to select employees.
The TeleMessage Mobile Archiver is an enterprise messaging app that effectively addresses call recording and text message archiving compliance, eDiscovery response requirements and reduces security and fraud risks across the UK financial, healthcare, and public sector. TeleMessage records mobile content, including SMS, MMS, WhatsApp messages, voice calls, and social media content from corporate or BYOD mobile phones. Messages are securely and reliably retained within TeleMessage servers or forwarded to an archiving data storage vendor of your choice.
Our mobile archiving products securely capture content from mobile carriers and mobile devices for a variety of ownership models (BYOD, CYOD, and employer-issued). With our multiple archiving solutions, you can always find the right tools or blend for your requirements:
TeleMessage offers cross-carrier and international mobile text & calls archiving for corporate and BYOD phones. Visit our website today at www.telemessage.com to learn more about our mobile archiving products.
){kind=link}