DEV Community

Dialphone Limited
Dialphone Limited

Posted on

A Realistic Look at VoIP Call Recording Compliance in the UK (PCI DSS, FCA, GDPR)

#voip #gdpr #uk #compliance

Honestly, most call recording compliance advice online is written by people who have never had to defend a recording decision to a regulator. From my experience at DialPhone supporting financial services customers since 2022, here is what actually matters.

The three UK regimes that touch call recording

Regime Who it applies to What it requires
GDPR + UK Data Protection Act 2018 Every UK business Lawful basis, consent where required, retention policy, subject access
FCA SYSC 9.1 / COBS 11.8 FCA-regulated firms (financial advice, trading, insurance) Mandatory recording of some calls, 5-7 year retention
PCI DSS v4.0 Anyone handling card data by phone Do NOT record cardholder data (CAV/CVV specifically)

Those three overlap badly. A financial advisor taking a credit card payment by phone triggers all three simultaneously, and they contradict each other.

What the regulators actually ask for in an audit

Not gonna lie, this is the thing almost nobody gets right.

FCA

If you are FCA-regulated and recording under SYSC 9.1:

  • Recordings of "relevant" calls for 5 years minimum (7 for MiFID II)
  • Must be searchable and retrievable within a reasonable time (interpreted as 72 hours)
  • Must be tamper-evident (most SaaS platforms do this automatically)
  • Must cover all channels the firm uses for regulated conversations (including mobile, WhatsApp if used for business)

The WhatsApp point is the one that has caught 14 of our financial services customers off-guard since 2023. If your FA texts a client on WhatsApp about their portfolio, FCA considers that a regulated communication and expects it recorded.

GDPR / ICO

  • Lawful basis (usually legitimate interest + explicit consent for call recording)
  • Pre-call notification (the "this call may be recorded" intro, yes it is still required)
  • Subject access requests: you must produce a copy of any recording featuring the subject within 1 month
  • Retention policy: must be written down, must be reasonable (typical: 6 months for general calls, 12 months for disputes, 5-7 years for regulated)

ICO enforcement pattern 2023-2025: almost always about retention (keeping recordings longer than the written policy says) or subject access (failing to produce recordings when asked).

PCI DSS v4.0

This is the one that trips up most VoIP deployments.

  • You must NOT store CVV/CAV once a transaction is authorised. If the customer reads their CVV out loud during a recorded call, the recording now contains CVV data. You are out of compliance the moment the recording hits storage.
  • The usual solution: "pause and resume" recording during card capture. The PBX pauses recording the instant the agent clicks into the card field in the payment system and resumes after.

We had a retail customer in 2024 who had this configured wrong for 8 months. Recordings contained about 12,000 CVVs. When they spotted it, the remediation was: delete all affected recordings, conduct a full PCI re-audit (£18,000), and write to every affected customer under GDPR Art 33. Expensive.

What a good VoIP provider should give you

  1. Pause and resume integrated with your payment system (not a manual button the agent remembers to click)
  2. Written retention policies that you can configure per queue / per caller type
  3. Tamper-evident storage (hashed, signed, encrypted at rest)
  4. UK data residency (matters for GDPR Art 44 transfers; FCA has its own views on overseas storage)
  5. Searchable retrieval (the "can I find a specific call from 2022" test — try it before you sign)
  6. Automatic deletion after retention window expires
  7. Audit log of who accessed which recording and when

Boring checklist, but 4 of our new customers in Q1 2026 came from competitors who missed one of these.

The UK-specific gotchas

  • Mobile recording: your provider must offer a business mobile app that records calls on the company number. Personal mobile + business calls = compliance hole.
  • Home working: recordings of calls made from home must be quality-equivalent. If your home broadband drops the call and it does not record, that is a gap FCA has asked about.
  • BYOD: if staff use personal devices for work calls and those calls are regulated, you need MDM (Mobile Device Management) or a separate business-only number/app.

What I would actually do if I were starting from scratch

  1. Write the retention policy first. It is 2 pages. Nobody writes it first, everyone should.
  2. Pick a UK-data-residency provider. Non-negotiable.
  3. Configure pause-and-resume even if you do not take card payments today. You will next year.
  4. Test subject access requests quarterly. If you cannot produce a recording of a random specific caller within 3 working days, you are not compliant, you just have not been asked yet.
  5. Have a deletion log. It exists, regulators look for it.

DialPhone offers UK-resident call recording with configurable retention, pause-and-resume, subject access tooling, and audit logging. We work with around 40 FCA-regulated firms and roughly 80 card-handling retailers. If you want a compliance gap analysis against your current provider, we will send one for free.

Top comments (0)