Bringing Clarity to MiFID II/GDPR Call Recording 

By now you’ve surely heard of MiFID II and GDPR – two new regulations impacting telecom resellers across the UK and the EU. MiFID II arrived in January 2018, and GDPR goes live in May 2018. Driven by UK’s communications regulator (Ofcom) and the Financial Conduct Authority (FCA), these regulations both aim to improve the security and scrutiny of communications/data. While MiFID II applies primary to the financial industry, GDPR spans every industry. In short, these regulations will enable telecom resellers to offer safe, compliant solutions to their business customers.   

MiFID II is a legislative framework for the regulation and operation of financial markets in the European Economic Area (EEA). Its aim is to protect investors, increase competition and improve financial regulatory consistency. In order for financial firms to comply with this new legislation, they must implement systems to support automated call recording and storage and retrieval of client interactions including mobile, landline, SMS, email and face-to-face. 

On May 25, 2018 the General Data Protection Regulation (GDPR) comes into effect in the UK and across Europe. Its intent is to bring consistency to data protection laws throughout the EU. GDPR will impact any business (large and small and across every vertical) which processes data.  The law aims to ensure all customer data (including audio recordings) a firm holds is accurate, up to date, secure and available to customers to correct or delete. Records must be kept on how you process data, who has access to it and what justification you have for collecting and storing it. Numonix’s call recording offers 100 permission levels to restrict who can access your recordings. 

GDPR specifies particular situations in which call recordings may be made, including: 

  1. Where individuals have given consent to be recorded (this consent cannot be assumed) 
  2. Where call recording is necessary for the fulfilment of a contract 
  3. Where recording is necessary to satisfy legal requirements such as to maintain compliance with the MiFID II regulations which affect the financial sector 
  4. Where recording is necessary to protect the interests of one or more participants
  5. Where recording is in the public interest (such as in the case of emergency services calls) 
  6. Where recording is in the legitimate interests of the recorder, unless those interests are overridden by the interests of the participants in the call (source: COMMSBUSINESS – Call Recording Faces GDPR, MiFID II and AI Challenges, 2/19/2018) 


Under GDPR, businesses must be sure their recording solution enables them to: 

  • Capture consent for recording – Organisations will need to be a lot clearer on how they will be using or ‘processing’ recorded calls and data, but they will also need to ask for and keep a record of the fact that consent was explicitly given. 
  • The controlled ability to delete or port records if required 
  • Keeping records safe through controlled platform access, encryption and deployment options (source: COMMSBUSINESS) 

See also “MiFID II and GDPR: What you Need to Know”, which includes several links to additional resources and further clarity.