Skip to content
Voxora guides

Is it legal to record business calls in the UK?

Yes. UK businesses can lawfully record calls, but you must inform callers and have a lawful basis under the UK GDPR and the Data Protection Act 2018. You do not always need explicit consent, yet you must always be transparent, store recordings securely, keep them only as long as needed, and protect card details under PCI rules. This is general information, not legal advice.

What does UK law actually say about recording calls?

Recording a business call is legal in the UK, but several overlapping rules apply. The main framework is data protection: the UK GDPR and the Data Protection Act 2018, both overseen by the Information Commissioner's Office (ICO). A voice recording that can identify someone is personal data, so processing it means meeting the same principles as any other personal data, including a lawful basis, transparency and security.

There is also the older regulation that governs interception of communications and the rules that apply to telecoms providers, which Ofcom oversees at the network level. For most businesses recording their own inbound and outbound calls, the practical rules that bite day to day come from data protection law and ICO guidance rather than the interception rules.

The headline is straightforward. You are allowed to record, but you cannot do it secretly for business purposes, you need a genuine reason that the law recognises, and you have to handle the recordings responsibly afterwards. The sections below break those duties down. None of this is legal advice for your specific situation, and if you operate in a regulated sector you should check your sector rules too.

Do I need consent, or is legitimate interest enough?

Under UK GDPR you need a lawful basis to record and keep a call. The two bases businesses most often rely on are consent and legitimate interests. The right one depends on why you are recording.

Legitimate interests can cover purposes such as staff training, quality monitoring, resolving disputes and preventing fraud, provided your interest is balanced fairly against the caller's rights and you document that assessment. This is why many companies do not ask each caller to say "yes" before recording: they rely on legitimate interests and simply inform people clearly.

Consent is the safer or required basis in some cases, for example where you are recording special category data such as health information, where the purpose is marketing, or where no other basis fits cleanly. Where consent is the basis, it must be freely given, specific and informed, and the caller must be able to refuse. The table below summarises the common situations.

Purpose of recordingCommon lawful basisWhat you must do
Training and quality monitoringLegitimate interestsInform callers, run a balancing assessment, limit retention
Dispute evidence and fraud preventionLegitimate interestsInform callers, keep only relevant recordings
Marketing or sales follow-up consentConsentAsk clearly, allow refusal, record the consent
Special category data (e.g. health)Explicit consent or specific conditionMeet the higher bar in UK GDPR Article 9
Regulatory requirement (e.g. some financial calls)Legal obligationFollow the specific sector rule

What about the "this call may be recorded" message?

The familiar announcement exists to meet the transparency duty. UK GDPR requires that people are told their personal data is being processed and why, in clear and accessible language. A short spoken notice at the start of a call, such as "your call may be recorded for training and quality purposes", is the standard way to do this for inbound calls.

The law does not mandate an exact script, only that people are genuinely informed before or at the point of recording. Good practice is to pair the spoken notice with a privacy notice on your website that explains who you are, why you record, your lawful basis, how long you keep recordings and how someone can exercise their rights. For outbound calls your agents should state the same thing early in the conversation.

Being upfront also protects your business. If a caller objects, you can explain the purpose and basis. If they are relying on consent and withdraw it, you should stop recording. A clear notice plus an accessible privacy notice is widely accepted as meeting the transparency requirement, and it keeps callers comfortable rather than caught out.

How must I store, retain and secure recordings?

Once you have a recording, the storage limitation and security principles of UK GDPR apply. You should keep recordings only as long as you genuinely need them for the stated purpose, not indefinitely. Many businesses set a defined retention window, delete recordings automatically at the end of it, and document the policy. The right period depends on your purpose and any sector rules.

Security matters just as much. Recordings should be stored with appropriate access controls so only authorised staff can listen to them, protected in transit and at rest, and covered by your wider data protection measures. Callers also have rights: they can request access to a recording of themselves, and in some cases ask for erasure, so you need to be able to find and retrieve recordings when asked.

If you use AI transcription or call summaries, the transcripts and summaries are personal data too, and the same retention, access and security duties apply to them. Plan for the whole lifecycle, from the recording to any derived text. To see how routing and recording fit together in a modern phone system, read our guide to auto-attendant, IVR and call routing.

What are the rules for card details and PCI?

Taking card payments over the phone adds a specific rule on top of data protection. Under the Payment Card Industry Data Security Standard (PCI DSS), the card security code (the CVV) must never be stored after authorisation, and sensitive card data should not sit in a call recording.

The two common solutions are pause and resume, where the recording is automatically paused while the caller reads out card details and resumed afterwards, and secure payment capture, where card numbers are entered through a separate secure channel so they never enter the call audio at all. Either approach keeps card data out of your stored recordings and reduces your compliance burden.

If your business handles card payments by phone, build this into your process from the start rather than relying on agents to remember. It protects your customers, keeps you on the right side of PCI DSS, and avoids the awkward situation of having to scrub card data out of historical recordings later.

Frequently asked questions

Do I need consent to record a business call in the UK?

Not always explicit consent, but you must always inform people that the call may be recorded and have a lawful basis under UK GDPR. Many businesses rely on legitimate interests for purposes like training or quality. Explicit consent is the safer basis where you are recording sensitive information or have no other clear lawful basis.

Is the "this call may be recorded" message legally required?

A spoken or written notice is the standard way to meet the transparency duty in UK GDPR, so callers know recording happens and why. The law requires that people are informed, not a specific script. A clear announcement at the start of the call, plus a privacy notice, is widely accepted best practice.

Can I record calls without telling the other person?

For business purposes, no. You must be transparent with callers under UK GDPR, which means informing them. Covertly recording people without informing them risks breaching data protection law and damaging trust. A purely personal recording for your own use sits under different rules, but business recording must be open.

How long can I keep call recordings?

Only as long as you genuinely need them for the stated purpose. UK GDPR requires a retention period that is proportionate, not indefinite storage. Many businesses keep recordings for a set window, for example 6 months for quality and training, then delete them. Regulated sectors may have longer mandated periods.

What about card details and PCI on recorded calls?

You must not store card security codes, and PCI DSS rules mean sensitive card data should not be kept in recordings. The usual approach is to pause and resume the recording while card details are read out, or to use secure payment capture that keeps card numbers out of the recording entirely.

Ready to sort your business phones?

Keep your number, go live in minutes, real UK support.