- Recording your own calls for personal use is lawful in the UK without telling the other party, because interception by a party to the communication falls outside the prohibition in the Regulation of Investigatory Powers Act 2000 (RIPA).
- Once a recording is shared, disclosed or processed beyond purely personal use, the UK GDPR and the Data Protection Act 2018 apply, requiring a lawful basis and transparency.
- RIPA section 1 makes it an offence to intercept a communication you are not a party to without lawful authority.
- Financial firms covered by the FCA rulebook implementing MiFID II must record telephone conversations relating to certain transactions and retain them for at least five years.
- Employers monitoring or recording staff calls must satisfy data protection principles set out in the Data Protection Act 2018 and provide clear information to employees.
Recording your own calls is legal in the UK. Telling the other party is not required for personal use, but sharing or business processing triggers GDPR duties and, in financial services, MiFID II retention rules.
Last reviewed: June 2026
The starting point: who is a party to the call
UK law treats call recording very differently depending on whether the person making the recording is themselves taking part in the conversation. The Regulation of Investigatory Powers Act 2000 prohibits the interception of communications, but that prohibition is aimed at people listening in on conversations they are not part of. A person who is on the call is not intercepting it in the prohibited sense, which is why recording your own telephone calls is lawful in the UK without obtaining the other party's permission.
This is often described as a one-party consent position, although the legislation does not use that phrase. The practical effect is that an individual recording a call they are part of, purely for their own later reference, does not commit an offence under RIPA simply by failing to announce that the call is being recorded. The position changes the moment the recording leaves the realm of purely personal use, because data protection law then becomes engaged.
When data protection law takes over
The lawful position under RIPA does not give a free hand to do anything with a recording. As soon as a recording is used for a purpose beyond personal or household activity, it becomes personal data processed under the UK GDPR and the Data Protection Act 2018. A business that records customer calls is processing personal data and must identify a lawful basis, tell callers what is happening and why, keep the recordings secure and retain them only for as long as necessary.
Transparency is central. Callers should be told in clear terms that a call may be recorded and the reasons for it, whether through an automated message, a notice at the start of the call or published information. The recording must serve a defined purpose, such as training, quality assurance, dispute resolution or compliance, and that purpose should be communicated rather than left implicit.
Beyond transparency, the broader data protection principles still apply to every recording. The purpose for which a recording is made should be specified and legitimate, and the recording should not later be used for an incompatible purpose without further justification. Only the data that is necessary for the stated purpose should be captured, recordings should be kept accurate where they are relied upon, and they should be retained no longer than necessary before secure deletion. Where recordings capture special category data, such as health information disclosed during a call, additional conditions for processing have to be met.
Security is a further obligation that is easy to underestimate. Recordings are often stored in bulk and can contain account details, payment information and other sensitive content, so they need appropriate technical and organisational measures to protect them against unauthorised access or loss. Individuals also retain their rights over recordings that constitute their personal data, including the right to make a subject access request, which means an organisation should be able to locate and produce a specific recording when one is lawfully requested.
What employers can record about staff
Employers sometimes wish to record or monitor employee calls, for training, performance management or to protect the business in disputes. This is permitted in principle, but it sits squarely within data protection law because the employee is an identifiable individual whose communications are being processed. Employers should set out monitoring in a clear policy, limit recording to what is necessary and proportionate, and avoid covert recording except in narrow and justified circumstances.
Employees are individuals too, and an employee recording a call they are part of follows the same RIPA logic as any other person: being a party to the call means there is no interception offence. Whether using such a recording later, for example in a grievance or tribunal, is appropriate is a separate question governed by employment procedure and the rules of the relevant forum rather than by RIPA.
Financial services and MiFID II
Financial services firms face stricter rules. The regime implementing the Markets in Financial Instruments Directive (MiFID II) in the UK requires firms carrying on certain activities to record telephone conversations and electronic communications that relate to the reception, transmission and execution of orders. The aim is to provide an evidential record for market integrity and consumer protection. Recordings of this kind must be retained, and the standard retention period is at least five years, with a longer period where a competent authority requires it.
These obligations are imposed through the FCA rulebook rather than directly by a single statute, and the duty to record is not optional for in-scope firms. Where a firm is subject to MiFID II recording rules, telling a client that a call is being recorded, and keeping that recording for the required period, becomes a compliance requirement rather than a discretionary practice.
Call recording legal framework by context
The table below summarises how the framework applies in different situations. It is a general orientation and not a substitute for advice on a specific set of facts.
| Context | Primary law engaged | Notify other party? | Key duty |
|---|---|---|---|
| Individual recording own call, personal use | RIPA 2000 | Not required | Keep use personal |
| Business recording customer calls | UK GDPR / DPA 2018 | Yes, transparency | Lawful basis and purpose |
| Employer monitoring staff calls | UK GDPR / DPA 2018 | Yes, via policy | Proportionate monitoring |
| Financial firm under MiFID II | FCA rulebook (MiFID II) | Yes | Record and retain 5 years |
| Listening to a call you are not part of | RIPA 2000 section 1 | N/A | Generally unlawful |
Practical points to remember
The single most important distinction is between recording a call you are part of and intercepting one you are not. The first is generally lawful under RIPA; the second is generally an offence. Beyond that, the question shifts from criminal interception law to data protection compliance, which is where most organisations spend their effort: lawful basis, transparency, security and retention.
Businesses should not assume that announcing a call is recorded is the only requirement. The announcement is a transparency measure, but the underlying processing still has to be necessary, proportionate and supported by an appropriate lawful basis. Where recordings might later be used in legal proceedings, the rules of the relevant court or tribunal will determine admissibility independently of how the recording was made.
It is also worth distinguishing between the lawfulness of making a recording and the appropriateness of how it is later used. A recording made lawfully because the maker was a party to the call can still cause problems if it is shared widely, posted online or used to embarrass someone, because those onward uses can engage data protection law and, in some circumstances, other legal duties around privacy and confidentiality. The safest approach for an individual is to keep a personal recording personal, and for an organisation to treat every recording as personal data that must be handled within a clear, documented framework.
For organisations operating across both ordinary customer service and regulated activity, the two regimes can apply at once. A general customer call may sit under data protection rules alone, while a call relating to an in-scope financial transaction triggers the MiFID II recording and retention obligations on top. Mapping which calls fall into which category, and configuring systems so that regulated calls are reliably captured and retained, is part of meeting both sets of duties without gaps.
Frequently Asked Questions
Is it legal to record phone calls in the UK?
Yes. Recording a telephone call that you are taking part in is lawful in the UK because RIPA's prohibition on interception is aimed at people who are not party to the communication. The position changes once the recording is shared or processed for business purposes, when data protection law applies.
Can I record a call without telling the other person?
For purely personal use, you can record a call you are part of without telling the other person, because being a party to the call means there is no unlawful interception. If the recording is used in a business context or disclosed to others, transparency obligations under data protection law generally require people to be informed.
What laws govern call recording in the UK?
The main laws are the Regulation of Investigatory Powers Act 2000, which addresses interception, and the UK GDPR together with the Data Protection Act 2018, which govern how recordings are processed as personal data. Financial firms are additionally subject to recording rules in the FCA rulebook implementing MiFID II.
Can businesses record calls without consent?
A business does not always rely on consent, but it must have a lawful basis under the UK GDPR and must be transparent with callers about recording and its purpose. Recording should be limited to what is necessary and proportionate, and the recordings must be kept securely and only for as long as needed.
What are MiFID II call recording rules?
Under the FCA rules implementing MiFID II, in-scope financial firms must record telephone conversations and electronic communications relating to certain orders and transactions. These recordings must be retained, with a standard minimum retention period of five years, so that they are available for regulatory and dispute purposes.
