Skip to content

GDPR and Call Recording: What Your Business Needs to Know

Are Call Recordings Personal Data?

Yes. Under the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018, call recordings are classified as personal data because they contain identifiable information — a person's voice, their name, and the content of their conversation. This means that any business that records phone calls must comply with data protection requirements, regardless of the reason for recording.

Understanding your obligations is essential to avoid regulatory penalties and maintain customer trust. This guide covers everything your business needs to know about GDPR and call recording compliance.

Lawful Basis for Recording Calls

Under GDPR, you must have a lawful basis for processing personal data, including call recordings. The most common lawful bases for business call recording are:

Legitimate Interest

This is the most commonly used basis for call recording. You can argue a legitimate interest in recording calls for:

  • Quality assurance and training — Monitoring calls to improve service quality and train staff.
  • Dispute resolution — Having a record of what was agreed during a call.
  • Establishing facts — Recording orders, instructions or agreements for accuracy.

When relying on legitimate interest, you must conduct a Legitimate Interest Assessment (LIA) to demonstrate that your interest in recording outweighs the individual's right to privacy.

Legal Obligation

Some industries are legally required to record calls. For example, financial services firms regulated by the FCA must record calls related to transactions and orders under MiFID II regulations. If recording is a legal requirement, this provides a clear lawful basis.

Consent

You can record calls based on the caller's explicit consent. However, consent under GDPR must be:

  • Freely given — The caller must have a genuine choice.
  • Specific — Consent must be for a specific purpose.
  • Informed — The caller must understand what they're consenting to.
  • Withdrawable — The caller must be able to withdraw consent at any time.

In practice, consent is rarely the best basis for routine business call recording because it can be withdrawn, and it's difficult to obtain meaningful consent at the start of every call.

Informing Callers About Recording

Regardless of your lawful basis, transparency is a core GDPR principle. You should always inform callers that the call is being recorded:

  • Recording announcement — Play an automated message at the start of the call: "This call may be recorded for training, quality and compliance purposes."
  • Verbal notification — For outbound calls, train staff to verbally inform the other party before recording begins.
  • Privacy notice — Include information about call recording in your company's privacy notice on your website, explaining what you record, why, how long you keep it, and individuals' rights.

Data Storage Requirements

Call recordings must be stored securely to comply with GDPR's data security requirements:

  • Encryption — Recordings should be encrypted both in transit and at rest. Most hosted VoIP providers store recordings in encrypted cloud storage.
  • Access controls — Restrict access to recordings to authorised personnel only. Not everyone in the business should be able to listen to recorded calls.
  • Audit trails — Maintain logs of who accesses recordings and when.
  • Secure deletion — When recordings are deleted (either manually or through automated retention policies), ensure they are permanently and securely deleted.
  • Data location — Be aware of where your recordings are stored. If using a cloud provider, ensure data is stored within the UK or EU, or that appropriate safeguards are in place for international transfers.

Retention Policies

GDPR's data minimisation principle requires that you keep personal data only for as long as necessary:

  • Define a retention period — Determine how long you need to keep recordings based on your business purpose. Common periods include:
    • 90 days — Suitable for general quality assurance and training.
    • 6 months — Appropriate for sales and customer service dispute resolution.
    • 12 months — Common for businesses with longer sales cycles or complaint procedures.
    • 5–7 years — Required for some regulated industries (e.g., financial services under MiFID II).
  • Automate deletion — Configure your VoIP system to automatically delete recordings after the retention period expires.
  • Document your policy — Write a clear data retention policy that explains your retention periods and the reasoning behind them.

Subject Access Requests (SARs)

Under GDPR, individuals have the right of access to their personal data, including call recordings. If someone submits a Subject Access Request:

  • You must respond within 30 days (extendable by a further 60 days for complex requests).
  • Provide a copy of the recording in a commonly used format (e.g., MP3 or WAV).
  • If the recording contains other people's personal data, you may need to redact their information before providing the recording.
  • You cannot charge a fee for SARs unless the request is manifestly unfounded or excessive.
  • Ensure your VoIP system allows you to search and retrieve specific recordings efficiently — by date, phone number or extension.

Right to Erasure

Individuals may also exercise their right to erasure (right to be forgotten) and request that their call recordings be deleted. However, this right is not absolute — you can refuse if:

  • The recording is needed for legal claims or defence.
  • You have a legal obligation to retain it.
  • There is an overriding legitimate interest in keeping it.

Document your decision and reasoning if you refuse an erasure request.

Data Protection Impact Assessment (DPIA)

If your call recording involves large-scale processing of personal data or systematic monitoring (e.g., recording all calls across a contact centre), you should conduct a Data Protection Impact Assessment:

  • Identify the risks to individuals' privacy.
  • Assess whether recording is necessary and proportionate.
  • Document the measures you've put in place to mitigate risks (encryption, access controls, retention limits).
  • Review the DPIA periodically and update it as your practices change.

PCI-DSS Considerations

If your business takes card payments over the phone, you must also comply with PCI-DSS requirements in addition to GDPR:

  • Never record card details — Pause recording before the caller provides their card number, expiry date or CVV.
  • Use PCI pause features — Most hosted VoIP systems offer automatic pause/resume functionality for payment processing.
  • DTMF masking — If callers enter card details via the keypad, ensure the DTMF tones are masked in the recording.

For more detail on call recording setup, see our call recording setup and compliance guide.

Need help ensuring your call recording is GDPR compliant? Get a quote for hosted VoIP and our team will configure compliant recording as part of your setup.

Other articles in VoIP Security & Fraud Prevention

VoIP Toll Fraud: What It Is and How to Prevent ItHow to Secure Your Hosted VoIP Phone System

©Connection Technologies 2026. All Rights Reserved.

Connection Technologies Limited is authorised and regulated by the Financial Conduct Authority, reference FRN 958225

Registered office: Fareham Innovation Centre, Merlin House, 4 Meteor Way, Fareham, Lee-on-the-Solent, PO13 9FU.

Registered in England and Wales, Company No. 11630924

Connect with Us

Linkedin
Sitemap