How does GDPR affect call recording?


The legalities for recording calls hasn't changed much if you have a "legitimate interest" to record them in the first place.


Consent under GDPR must be freely given. It must be specific, informed and an unambiguous indication of the individual’s wishes. 

There must be a clear affirmative action – consent cannot be inferred by silence, pre-ticked boxes or inactivity.

Consent must also be separate from other terms and conditions, and you will need to provide simple ways for people to withdraw consent. 


However you can also rely on your "other" lawful bases to record calls.


If you record calls for one of the 6 reasons stated below under “lawful reasons to record” all you need to do is ensure you document the basis for recording calls for the ICO for Audits and GDPR compliance purposes


Organisations must show how they are compliant with at least one of the following:

  • Individual(s) involved in the call have given their consent to be recorded (oral acceptance during the call, consent after receiving a message, or consent as part of a customer agreement) 
  • Recording is necessary for the performance of a contract with the subject or to take steps to enter into a contract.

  • Recording is necessary for compliance with a legal obligation to which the recorder is subject.

  • Recording is necessary to protect the vital interests of one or more participants. 

  • Recording is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

  • Where call recording is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.



In addition to securing the explicit consent of the customer or having a legal purpose for recording the call, organisations will also have to keep this record accessible and be able produce it within one month, should a customer submit a Subject Access Request. 
At the same time, should a customer invoke their “right to be forgotten”, organisations must have the ability to permanently delete the audio file of the recording in order to remain compliant with GDPR.


Industry Specific Call Recording Rules


Several industry governing bodies have rules around call recordings. For example the Financial Conduct Authority (FCA) requires financial firms, including brokers, banks and investment managers to record complete phone conversations. The FCA deems that full recordings are useful across all sectors to resolve transaction disputes and ensure that customers are treated fairly, consistently and are given the correct information and advice. However they also have specific regulations  including Markets in Financial Instruments Directive ("MiFID")  and if you are receiving payments by credit card further regulations apply PCI Data Security Standard ("PCI DSS")  



Are there any other laws that regulate call recordings?


Investigatory Powers Act 2016 (supersedes the Regulation of Investigatory Powers Act 2000 ("RIPA")
Telecommunications (Lawful Business Practice)(Interception of Communications) Regulations 2000 ("LBP Regulations")
The Employment practices, Data protection code
Human Rights Act 1998 ("HRA")
Section 48 of the Wireless Telegraphy Act 2006 (offence of interception or disclosure of messages) ("WTA")
Sections 1 to 3A of the Computer Misuse Act 1990 (computer misuse offences) ("CMA") 



Further information


If you would like further information about GDPR and Mediahawk, please contact our Client Services Team at clientservices@mediahawk.co.uk or 0333 222 8333.

We recommend that you get in touch with a qualified legal professional to understand the specific requirements of the regulation and how you should apply it within your organisation. 


This is a commentary on GDPR as Mediahawk interprets it. This document is provided for informational purposes only and should not be relied on as legal advice or to determine how GDPR might apply to you and your organisation. We encourage you to work with a qualified legal professional to discuss GDPR and its impact on your organisation to ensure compliance. Mediahawk makes no warranties, express, implied, or statutory, as to the information in this document.