Most UK businesses think GDPR applies to emails and websites. They forget that phone calls generate personal data too — and the compliance gaps are enormous.
After auditing GDPR telephony compliance for 40 UK organisations, here are the violations I find in almost every one.
Violation 1: Recording Calls Without Proper Legal Basis (85% of businesses)
You cannot record calls just because you want to. You need a legal basis under Article 6 of UK GDPR:
| Legal Basis | When It Applies | What You Must Do |
|---|---|---|
| Consent | Customer agrees to recording | Play announcement AND get explicit consent |
| Legitimate interest | Training, quality, dispute resolution | Document your LIA, offer opt-out |
| Legal obligation | Financial services (FCA requirement) | Document the specific regulation |
| Contract performance | Recording needed to fulfil contract | Document how recording serves the contract |
The common mistake: Playing "this call may be recorded" and assuming that is consent. It is not. An announcement is notification, not consent. For consent, you need affirmative agreement ("press 1 to agree to recording").
The better approach: Use legitimate interest as your legal basis. Document a Legitimate Interest Assessment (LIA) covering: purpose (training, quality, disputes), necessity (cannot achieve purpose without recording), balance (your interest vs caller's privacy). Most businesses can justify recording under legitimate interest without needing per-call consent.
Violation 2: No Data Retention Policy for Recordings (72% of businesses)
Recordings are personal data. Under GDPR Article 5(1)(e), personal data must not be kept longer than necessary.
| Industry | Recommended Retention | Regulatory Requirement |
|---|---|---|
| General business | 6-12 months | None (but justify your choice) |
| Financial services | 5-7 years | FCA MiFID II |
| Healthcare | 8 years | NHS records management |
| Legal | 6 years after matter closes | SRA guidelines |
| Insurance | 3 years | FCA guidelines |
The common mistake: Keeping recordings forever because storage is cheap. This violates the storage limitation principle. You must define a retention period and automatically delete recordings after it expires.
Violation 3: No Process for Subject Access Requests (68% of businesses)
Anyone can request copies of their call recordings under Article 15. You have 30 days to respond.
The test: Call your phone system administrator and say: "A customer has requested all recordings of calls with them from the past 12 months. How quickly can you produce them?"
If the answer involves manually searching through thousands of recordings, you are not compliant. You need:
- Search by phone number
- Search by date range
- Export in standard format (MP3/WAV)
- Ability to redact third-party data from multi-party calls
Violation 4: Voicemail Transcriptions Not Treated as Personal Data (55% of businesses)
Voicemail-to-email transcriptions contain personal data (caller's name, phone number, message content). They are stored in email servers, potentially backed up to multiple locations, and rarely covered by the data retention policy.
The fix: Include voicemail transcriptions in your data retention policy. Auto-delete transcription emails after the defined retention period.
Violation 5: Call Data Shared Without DPA (48% of businesses)
Your VoIP provider processes personal data on your behalf (call recordings, CDRs, voicemail). Under Article 28, you must have a Data Processing Agreement (DPA) in place.
| Check | Compliant | Non-Compliant |
|---|---|---|
| DPA signed with VoIP provider | Document on file | No DPA exists |
| DPA covers all data types | Recordings, CDRs, voicemail, transcriptions | Only mentions "calls" vaguely |
| Sub-processor list provided | Provider discloses all sub-processors | "We use cloud infrastructure" (no specifics) |
| Breach notification clause | Provider notifies within 72 hours | No breach notification terms |
The GDPR Telephony Checklist
- [ ] Legal basis for recording documented (LIA or consent mechanism)
- [ ] Recording announcement configured and playing
- [ ] Data retention policy includes call recordings AND voicemail transcriptions
- [ ] Automatic deletion after retention period
- [ ] SAR process documented and tested (can you find recordings by phone number?)
- [ ] DPA signed with VoIP provider
- [ ] Sub-processor list obtained from provider
- [ ] Breach notification clause in DPA (72-hour timeline)
- [ ] Staff trained on handling recording-related SARs
- [ ] Privacy notice updated to mention call recording
DialPhone provides a signed DPA with every UK customer, configurable retention policies with automatic deletion, searchable recording archives for SAR compliance, and a sub-processor list published transparently. Because GDPR compliance should be built into the phone system, not bolted on afterwards.
Top comments (0)