The moment you record — or even just transcribe — a phone call, you're processing someone's personal data, and UK GDPR applies. That sounds heavier than it is. In practice it comes down to four questions you can answer in an afternoon. Here they are, in plain English. (This is guidance, not legal advice — check your own case.)
1. A recorded call is personal data
Audio of a person's voice, and a transcript of what they said, are personal data. So UK GDPR applies the moment you keep it. If the call touches health, finances or anything sensitive, you're into special-category data, which needs extra care.
2. Pick a lawful basis — and write it down
You need a lawful reason to record. For most business calls that's one of two:
- Legitimate interests — the usual choice for quality, training or record-keeping. It requires a short Legitimate Interests Assessment (LIA): a written note weighing your need against the caller's reasonable expectations. It's not onerous, but "we didn't do one" is the finding you don't want.
- Consent — cleaner in some cases, but it must be freely given, and the caller must be able to decline and still get service.
3. Tell callers — at the start, clearly
Transparency is the part people skip and regulators care about. Callers should be told, up front, that the call is recorded, by whom, and why — the same breath in which a good AI agent says it's an AI. A buried line in a privacy policy isn't enough; the notice belongs at the top of the call.
A note on the marketing line: if the call sells, PECR adds consent rules on top of GDPR. A genuine research or satisfaction survey with no marketing isn't caught by those — but the moment a pitch appears, it is.
4. Keep only what you need, only as long as you need it
Data minimisation is the quiet superpower here. Do you need the audio, or just a structured summary of the outcome? Keeping less lowers your risk, your storage and your breach exposure all at once. Set a retention period and actually delete on it.
This is the design choice we made deliberately: for privacy-sensitive work, capture a structured transcript or notes rather than recording everything by default. The best way to protect call data is to not hold more of it than the job requires.
🎧 Listen to the compliance briefing above.
Related: Do you have to tell people it's an AI? · Compliance & trust · AI receptionist vs answering service