- A call recording that identifies a person is personal data, so the UK General Data Protection Regulation and the Data Protection Act 2018 apply to it.
- Recording requires a lawful basis and the people on the call must be informed, in line with the transparency principle in the UK GDPR.
- Financial firms within scope of MiFID II must record communications that relate to certain transactions and keep them for at least five years.
- The Investigatory Powers Act 2016 governs interception of communications and sets the boundaries for monitoring beyond simple recording.
- There is no single statutory retention period for all business recordings, so retention is set by the lawful basis, sector rules and a documented policy.
Record VoIP calls only with a lawful basis, tell callers it is happening, keep recordings as long as the purpose and any sector rules require, and store them securely under the UK GDPR.
Last reviewed: June 2026
Why call recording is a data protection question
A recorded telephone call almost always captures information about identifiable individuals, including the words they say, their voice and often personal details they disclose. That makes the recording personal data, and in some cases special category data, which brings it squarely within the UK General Data Protection Regulation and the Data Protection Act 2018. A business cannot treat recording as a purely operational decision; it is a processing activity that must satisfy the same principles as any other handling of personal data. The fact that the audio sits on a VoIP provider's servers rather than in a filing cabinet does not change the analysis, because the law follows the data, not the medium.
Those principles require a lawful basis for recording, transparency about what is happening, a clear and limited purpose, retention only for as long as that purpose needs, and appropriate security. A common lawful basis for business recording is legitimate interests, which requires the organisation to balance its purpose against the rights of the people on the call and to document that assessment in a structured legitimate interests assessment. Where the recording is necessary to comply with a legal obligation, that obligation can itself provide the basis, which removes the need for the balancing test but narrows the use to what the obligation actually requires. Consent is rarely the right basis for routine business recording, because it can be withdrawn at any time and because a caller who needs the service cannot freely refuse, which undermines the validity of the consent.
A further consideration is purpose limitation. A recording captured to train staff cannot later be repurposed to monitor an individual employee or to build a marketing profile without revisiting the lawful basis and the transparency information. Each new use is, in data protection terms, a fresh question. Keeping the stated purpose tight at the point of recording therefore makes the rest of the compliance work simpler, because the organisation is not trying to justify uses it never told anyone about.
Telling people calls are recorded
The transparency principle means people must be informed that a call may be recorded and why, usually through a short announcement at the start of the call and a fuller explanation in a privacy notice. The notice should state the purpose, the lawful basis, how long recordings are kept and how a person can exercise their rights, including the right of access. Silent or covert recording of customers without a justifiable and lawful reason is difficult to defend and risks breaching the transparency requirement. A simple recorded message such as a statement that the call may be recorded for training and quality purposes satisfies the immediate notice, while the privacy notice carries the detail that would not fit into a spoken line.
Transparency also feeds the right of access. Because a caller can ask for a copy of their personal data, an organisation that records calls must be able to find a specific recording, confirm it relates to the requester and supply it within the statutory time limit, normally one month. A recording system that cannot be searched by caller, date or number turns an ordinary access request into a costly manual exercise, so the ability to retrieve recordings is a practical compliance issue, not just a storage one.
Interception of communications is separately governed by the Investigatory Powers Act 2016, which sets limits on monitoring beyond the act of recording a call to which the business is a party. Routine recording of a business's own calls, with appropriate notice, is generally a long way from the activities that Act is concerned with, but any monitoring of employees should also be assessed for fairness and proportionality and supported by a clear policy. Monitoring that singles out one worker, or that listens to calls live without the staff member knowing, raises questions of fairness that a blanket recording policy does not, so the staff-facing policy and the customer-facing notice should be treated as two distinct documents.
Retention: how long to keep recordings
There is no universal statutory period that fits every business recording. Instead, retention flows from the purpose for which the call was recorded, any sector-specific rules, and the principle that personal data should not be kept longer than necessary. A recording kept for training might be deleted within weeks, while one kept as evidence of a contract or a complaint might be retained for the period a related claim could be brought. The key compliance step is to set and document a retention schedule and then apply it consistently, including secure deletion when the period ends.
The mechanism that makes this work is automatic deletion. A retention rule that depends on someone remembering to clear old recordings will drift, because storage is cheap and the path of least resistance is to keep everything. Configuring the platform to delete recordings a set number of days after capture turns the policy into a default that happens without intervention, which is both easier to evidence and harder to breach. Where different categories of call need different periods, for example a short window for general calls and a longer window for complaint-related calls, the cleanest approach is to record those categories into separate storage areas, each with its own rule, rather than relying on staff to tag individual recordings correctly.
VoIP call recording compliance requirements by sector
The table summarises how the headline obligations differ across common sectors. It is a guide to the framework rather than a substitute for sector rules.
| Sector | Recording driver | Typical retention |
|---|---|---|
| General business | Legitimate interests, training, evidence | Set by purpose and policy |
| Financial services (MiFID II) | Legal obligation for relevant transactions | At least five years |
| Healthcare and care | Legitimate interests with care over special category data | Set by purpose and policy |
| Public sector | Public task or legal obligation | Set by records schedule |
The financial services position under MiFID II
Firms carrying out investment activities within the scope of the second Markets in Financial Instruments Directive, brought into UK law and carried forward in the FCA Handbook, face a stricter regime. Where conversations relate to the reception, transmission or execution of relevant orders, the firm is required to record them, and the records must be kept for at least five years, extended to seven where a competent authority requires it. The Conduct of Business sourcebook, known as COBS, contains the detailed rules on taping and on which communications fall in scope, including the requirement to record relevant calls made on equipment the firm permits staff to use.
Because these are legal obligations rather than optional recordings, the lawful basis under data protection is typically compliance with a legal obligation, and the firm must still meet the GDPR principles of security and transparency alongside the conduct rules. A firm that is unsure whether a given desk or activity is in scope should treat the boundary carefully, because the consequence of failing to record an in-scope conversation is a regulatory breach, not merely a missing recording. The taping rules also reach beyond the office: where staff conduct relevant business on mobiles or from home, the firm has to either route those calls through a recorded line or prohibit the activity on unrecorded devices, which is a direct reason many regulated firms standardise on a hosted VoIP platform that records every endpoint the same way.
Configuring recording on a VoIP system
On a hosted VoIP platform, recording is usually a setting applied per extension, per group or for all calls, with audio captured at the provider's data centre and stored either there or in a connected archive. The practical compliance work is to enable recording only where there is a lawful basis, to switch on the start-of-call announcement, and to point storage at a location with access controls, encryption and a retention rule that deletes recordings automatically when their period ends. Access to recordings should be limited to staff with a genuine need, and that access should be logged.
Where calls may contain payment card details or other especially sensitive information, pause-and-resume features that suppress recording during those moments reduce the data held and the associated risk. Some platforms automate this by detecting when an agent opens a payment screen and pausing the recording until the card entry is finished, which removes the reliance on an individual remembering to press a button. Whichever configuration is chosen, it should be written down so that the organisation can demonstrate accountability, which the UK GDPR treats as a principle in its own right. The written record should cover who can access recordings, how long they are kept, where they are stored and how they are deleted, so that the configuration can be audited rather than reconstructed from memory.
Security, access controls and accountability
Storing recordings securely is a specific obligation rather than a general aspiration. Because a recording can contain names, account numbers and other identifiers, the security principle requires controls proportionate to that sensitivity, which in practice means encryption of the stored files, encryption of the audio in transit between the handset and the data centre, and access restricted to named roles. A recording archive that any member of staff can browse is hard to defend, because the principle of data minimisation extends to who can see the data, not only how much is collected.
Accountability ties these controls together. The organisation should be able to show, through an access log, exactly who listened to a given recording and when, which both deters misuse and provides a trail if a recording is later disclosed without authority. Where recording is introduced for the first time, or expanded to cover sensitive conversations such as those in a debt or health context, a data protection impact assessment is the structured way to record the risks and the mitigations, and the law requires one where the processing is likely to result in a high risk to individuals. Carrying out that assessment before going live, rather than after a complaint, is what turns a recording project from a liability into a defensible, documented system.
Frequently Asked Questions
Do I have to tell callers I am recording?
In nearly all cases yes, because the transparency principle of the UK GDPR requires people to be informed that their personal data is being processed. This is usually done with a short announcement at the start of the call and a fuller explanation in a privacy notice covering the purpose, lawful basis and retention period. Covert recording without a clear and lawful reason is difficult to justify and exposes the organisation to a transparency complaint.
How long must I keep call recordings?
There is no single period for all businesses; retention is set by the purpose of the recording, any sector rules and a documented schedule. Financial firms recording under MiFID II must keep relevant recordings for at least five years, while a general business might keep training calls for only a short time. The safest approach is to set the period in advance and have the platform delete recordings automatically when it passes.
What GDPR rules apply to VoIP call recording?
A recording that identifies a person is personal data, so it needs a lawful basis, transparency, a defined purpose, retention no longer than necessary and appropriate security. The organisation must also be able to demonstrate it has met these requirements, which is the accountability principle, and a data protection impact assessment may be required where the recording is likely to be high risk.
Do financial services firms have different call recording rules?
Yes. Firms within the scope of MiFID II must record communications relating to certain transactions and keep them for at least five years, with the detail set out in the FCA Conduct of Business sourcebook. These are legal obligations that sit alongside the general data protection duties, and they extend to relevant calls made on mobiles or from home, not only those made in the office.
How do I set up call recording on a VoIP system?
On most hosted systems recording is a setting applied per extension or group, with audio stored at the provider or in a linked archive. Enable it only where a lawful basis exists, switch on the recording announcement, restrict and log access, and apply a retention rule that deletes recordings securely when their period ends. Use pause-and-resume to avoid capturing payment card details, and write the whole configuration down for accountability.
