GDPR Recording Phone Calls UK: 2026 Compliance Guide
Is It Legal to Record Phone Calls in the UK? A GDPR Guide for Businesses
You have probably heard the phrase "this call may be recorded for training and quality purposes" hundreds of times. But when you are on the other side, running a business and recording your own calls, the rules suddenly feel a lot less clear.
The short answer is yes, GDPR recording phone calls UK is legal for businesses, but there are specific rules you need to follow.
Two key areas of legislation apply: the Telecommunications (Lawful Business Practice) Regulations 2000, which govern when businesses can record, and the UK General Data Protection Regulation (UK GDPR) alongside the Data Protection Act 2018, which govern how the recorded data must be handled.
After helping more than 1,000 UK businesses set up modern cloud phone systems with built-in call recording, here is what you need to know to stay on the right side of the law.
What the Law Actually Says About Recording Calls
UK call recording rules sit across several pieces of legislation, and understanding how they work together is the first step to getting compliance right.
The Telecommunications Regulations 2000
- Establishing the existence of facts related to business transactions
- Ascertaining compliance with regulatory or self-regulatory practices and procedures
- Ascertaining or demonstrating standards achieved by staff (quality control and training)
- Preventing or detecting crime
- Investigating unauthorised use of the telephone system
- Securing the effective operation of the system
Under these regulations, businesses do not always need the caller’s explicit consent to record. However, Regulation 3(2)(c) does require the system controller to make “all reasonable efforts to inform every person who may use the telecommunication system” that communications may be intercepted. In practice, this means notifying callers is a legal obligation under the Regulations themselves, not just a courtesy. The Investigatory Powers (Interception by Businesses etc. for Monitoring and Record-Keeping Purposes) Regulations 2018 replicate these provisions under the Investigatory Powers Act 2016.
UK GDPR and the Data Protection Act 2018
Does GDPR apply to phone calls? Yes, without exception. A recorded phone call captures a person's voice and often their name, address, or financial details. That makes every recording personal data under the UK GDPR, which means you need a lawful basis for processing. The most relevant lawful bases for GDPR recording phone calls are:
- Legitimate interests, the most commonly used basis. You have a genuine business need, such as quality assurance, training, or dispute resolution, and the recording does not unreasonably override the caller’s rights.
- Legal obligation, where your industry regulator requires you to record calls. Financial services firms regulated by the FCA fall into this category.
- Performance of a contract, where the recording is necessary for fulfilling a contractual obligation with the caller.
- Consent, where the caller explicitly agrees to be recorded. While valid, consent can be withdrawn at any time, which makes it less practical as a primary basis for most businesses.
Do You Actually Need Consent to Record?
Many business owners assume they always need explicit consent before pressing a record. That is not always the case.
When Consent Is Not Required
Are phone calls covered by GDPR in a way that always requires consent? No. If your business relies on legitimate interests as its lawful basis under GDPR, you do not technically need the caller's explicit permission to record. However, as noted above, Regulation 3(2)(c) requires you to make all reasonable efforts to inform anyone who may use your phone system that calls may be recorded. A simple automated message, such as "calls may be recorded for training and quality purposes," satisfies this requirement.
When Consent Is Essential
You will need explicit consent if you plan to use a recording beyond its original purpose, such as sharing it externally or passing it to a third party.
Storing and Managing Call Recordings Under GDPR
GDPR phone call recording obligations do not end when the call does. How you store, access, and delete recordings matters just as much as how you capture them.
Secure Storage and Retention
Call recordings must be stored securely with role-based access restrictions. Encryption and audit trails are strongly recommended. Modern
VoIP phone systems typically include cloud-based storage with built-in security features, making compliance considerably easier than older on-premise systems.
Under GDPR, you should only keep recordings for as long as they are needed for their stated purpose. Callers also have the right to request deletion of their personal data, including call recordings. Your business must be able to locate and securely delete specific recordings when asked, unless a legal exemption applies. FCA-regulated firms must retain recordings for a minimum of five years; outside regulated industries, retention periods typically range from 6 to 24 months.
What Happens If You Get Compliance Wrong
The ICO can impose fines of up to £17.5 million or 4% of your organisation’s annual global turnover, whichever is higher. Beyond financial penalties, compliance failures can lead to legal claims, reputational damage, operational disruption from investigations, and loss of sensitive data.
A Simple Compliance Checklist
If your business records calls, running through this checklist can help you stay compliant with GDPR recording phone calls UK requirements:
- Identify your lawful basis for recording under GDPR
- Make all reasonable efforts to inform callers that recording may take place, as required by the Telecommunications Regulations 2000
- Document your recording policy and the purposes recordings serve
- Store recordings securely with role-based access controls
- Set a clear retention period and delete recordings when it expires
- Have a process for responding to data access or deletion requests
- Train your staff on the policy and their responsibilities
How The VoIP Shop Helps UK Businesses Record Calls Compliantly
Setting up compliant call recording does not need to be complicated. The VoIP Shop provides UK businesses with
cloud phone systems that include built-in call recording with secure cloud storage, configurable recording announcements, and access controls. For businesses that need
PCI-compliant call recording, dedicated options are also available.
With UK-based 24/7 support and a dedicated account manager for every customer, your team can get set up with confidence.
FAQs
Is recording a phone call without telling the other person illegal in the UK?
For personal use, individuals can record their own calls without telling the other party under RIPA 2000. For business purposes, the Telecommunications Regulations 2000 require you to make all reasonable efforts to inform users of the system that calls may be intercepted. You also need a lawful basis under the UK GDPR.
Does GDPR apply to phone calls?
Yes. Are phone calls covered by GDPR? Absolutely. Any call that captures a person's voice, name, or personal details constitutes personal data. Every business recording call must have a lawful basis, a storage policy, and a process for handling data subject requests.
What is the most common lawful basis for business call recording?
Legitimate interests is the most widely used basis. Businesses typically rely on it for purposes like staff training, quality assurance, and dispute resolution.
How long can a business keep call recordings?
There is no single legal time limit. Recordings should only be retained for as long as needed for their stated purpose. Most businesses set retention periods between 6 and 24 months, though FCA-regulated firms must retain recordings for at least five years.
Can a caller ask me to delete their recording?
Yes. Under GDPR, individuals have the right to request erasure of their personal data. You must comply unless a legal exemption applies, such as a regulatory retention requirement.
What is the relationship between GDPR and nuisance phone calls?
GDPR and nuisance phone calls are connected through data protection and marketing consent rules. Businesses making unsolicited marketing calls must comply with GDPR, the Privacy and Electronic Communications Regulations (PECR), and the rules set by the TPS (Telephone Preference Service).
Does call recording work differently with VoIP systems?
The legal requirements are the same regardless of the phone technology. However, modern VoIP phone systems make compliance easier with features like automatic recording announcements, encrypted cloud storage, and simple access management.
