How to Set Up Call Recording on Your VoIP System (UK Legal Guide)

Why Record Calls on a VoIP System?

Call recording is one of the most requested features on business phone systems, and for good reason. It provides a verifiable record of what was said, agreed, or promised during a conversation — protecting both your business and your customers.

Common reasons businesses record calls include:

• Dispute resolution — settling disagreements about what was agreed during a phone conversation
• Compliance — meeting regulatory requirements in sectors like finance, insurance, and healthcare
• Training and quality assurance — reviewing calls to improve agent performance and customer service
• Order verification — confirming verbal orders or authorisations
• Liability protection — having evidence if a complaint or legal claim arises

On a modern hosted VoIP system, call recording is typically built in and can be activated with a few clicks in the admin portal. There is no need for separate hardware or third-party software.

UK Legal Requirements for Call Recording

Before you switch on recording, you need to understand the legal framework in the United Kingdom. Call recording is legal, but it is regulated — and getting it wrong can result in fines or legal liability.

The Key Legislation

Three pieces of legislation govern call recording in the UK:

1. The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (LBP Regulations) — this allows businesses to record calls without consent for specific lawful purposes, including quality monitoring, training, compliance, and establishing facts
2. The UK General Data Protection Regulation (UK GDPR) — recorded calls contain personal data, so you must process them in accordance with data protection principles
3. The Data Protection Act 2018 — supplements UK GDPR with additional provisions relevant to UK businesses

Do You Need Consent?

Under the LBP Regulations, businesses can record calls without the other party's explicit consent, provided the recording is for one of the permitted purposes listed in the regulations. However, UK GDPR adds a layer of complexity:

• You must have a lawful basis for processing the recorded data — legitimate interests is the most commonly used basis for business call recording
• You must inform callers that the call may be recorded — this is typically done via an automated announcement at the start of the call
• You must include call recording in your privacy policy
• You must conduct a Legitimate Interest Assessment (LIA) documenting why recording is necessary and how you balance it against the caller's rights

In practice, the safest approach is to always inform callers that the call is being recorded. A simple pre-call announcement removes ambiguity and demonstrates transparency. For a deeper look at the legal requirements, read our guide on call recording for UK businesses.

How to Set Up Call Recording on a Hosted VoIP System

The technical setup for call recording is straightforward on most cloud-based VoIP platforms. Here is a typical step-by-step process:

Step 1: Enable Recording at the System Level

Log into your VoIP admin portal and navigate to the call recording settings. You will usually find options to enable recording globally (all calls), per extension, or per call queue.

Step 2: Choose Your Recording Mode

Most platforms offer several recording modes:

• Always on — every inbound and outbound call is recorded automatically
• On demand — agents press a button or dial a code to start and stop recording during a call
• Selective — recording is triggered based on rules, such as recording all calls to a specific queue or from a specific number

For compliance-heavy environments, "always on" is the safest choice. For general business use, on-demand recording gives agents control while still capturing important conversations.

Step 3: Configure the Pre-Call Announcement

Set up an automated message that plays at the start of recorded calls. A standard announcement might say:

"This call may be recorded for training, quality, and compliance purposes."

Most VoIP platforms let you upload a custom audio file or use text-to-speech to generate the announcement.

Step 4: Set Storage and Retention Policies

Recorded calls need to be stored securely. Configure:

• Storage location — most hosted VoIP providers store recordings in the cloud, encrypted at rest
• Retention period — how long recordings are kept before automatic deletion (common periods range from 30 days to 7 years depending on your industry)
• Access controls — who can listen to, download, or delete recordings

Step 5: Set Access Permissions

Restrict access to call recordings based on role:

• Supervisors and managers may need access to their team's recordings
• Compliance officers may need access to all recordings
• Individual agents may or may not be given access to their own recordings

Keeping access limited reduces the risk of data breaches and ensures compliance with data protection principles.

GDPR Compliance Checklist for Call Recording

Use this checklist to ensure your call recording setup meets UK GDPR requirements:

• Pre-call announcement is active and clearly states calls are recorded
• Lawful basis for recording is documented (typically legitimate interests)
• Legitimate Interest Assessment has been completed and filed
• Privacy policy includes information about call recording, retention periods, and data subject rights
• Recordings are stored securely with encryption at rest and in transit
• Access to recordings is restricted by role
• Retention periods are defined and automatic deletion is configured
• A process exists for handling Subject Access Requests (SARs) relating to call recordings
• Staff are trained on call recording policies

PCI DSS and Payment Card Data

If your business takes payment card details over the phone, call recording adds another compliance layer. Under PCI DSS (Payment Card Industry Data Security Standard), you must not store CVV numbers in any form — including audio recordings.

Solutions include:

• Pause and resume — agents pause recording before the customer reads out card details, then resume afterwards
• Automatic DTMF masking — the system detects tone inputs and masks them in the recording
• Secure payment IVR — the customer enters card details via keypad into a secure system that bypasses the agent entirely

Most modern hosted VoIP solutions include PCI-compliant recording options or integrations with secure payment providers.

How Long Should You Keep Recordings?

There is no single answer — it depends on your industry and the purpose of the recording:

• General business use — 30 to 90 days is common for quality and training purposes
• Financial services — FCA regulations may require recordings to be kept for 5 to 7 years
• Healthcare — retention varies depending on the nature of the conversation and NHS or CQC requirements
• Legal and insurance — retention aligned with policy terms or statute of limitations

Whatever period you choose, make sure it is documented in your privacy policy and that automatic deletion is configured to enforce it.

Getting Started

Call recording is a valuable tool when implemented correctly. The key is pairing the technical setup with proper legal groundwork — pre-call announcements, documented lawful basis, secure storage, and clear retention policies.