My latest quest with GDPR is centered around modifying call center data collection advisories. Currently, we mostly use the standard "This call will be recorded for quality and training purposes" that you hear all of the time. However, I don't think this fits the bill in terms of GDPR. Some specific thoughts:
-According to the text of the law, consent must be freely given, specific, informed, and unambiguous.
-Consent requires a positive opt-in (no tacit consent, pre-checked boxes, implicit consent, etc)
By those two factors alone, the above standard phrase would not pass inspection because it doesn't require any sort of positive, explicit consent given from the individual (previously, the industry agreed that by not objecting or hanging up, the customer was giving their implicit consent to being recorded).
So, my challenge now is how to update the call center initial advisory to account for GDPR without making it a huge mouthful to get through. Understanding that GDPR focuses on access to and erasure of data, my initial attempt reads something like this:
"This call will be recorded for quality and training purposes. You may request access to or erasure of the data that we collect from you by calling XXX-XXX-XXXX. Do we have your consent to continue recording this call?"
Now, if they say no, we would have to advise them that contractually we are obligated to record calls, and so if they refuse, we must end the call and cannot provide them the service they are seeking. But that's a different problem.