Not legal advice. This site is an editorial reference. Laws change — always confirm with a qualified attorney in the relevant jurisdiction before recording, and check each page’s last reviewed date.

Call Recording Laws in the United Kingdom

Plain-English summary

Recording a phone call in the UK is lawful where the recording is by a participant and the purpose is purely personal. Where the recording is by an organization — a business, a public authority, an employer — UK GDPR and the Data Protection Act 2018 apply, and the recording must rest on one of six lawful bases, must be disclosed to the data subject, and must be retained no longer than necessary.

The Investigatory Powers Act 2016 criminalizes unlawful interception of communications in the course of transmission, but only where the intercept is by a person who is not a party to the call. Participant recording for personal purposes does not engage the IPA. Workplace recording engages employment-law requirements in addition to data protection.

Statutory framework

  • UK GDPR. Applies to all processing by organizations.
  • Data Protection Act 2018. The UK implementing statute.
  • Investigatory Powers Act 2016, s. 3. Criminalizes unlawful interception in the course of transmission by a person who is not a party. Participant recording for purely personal purposes is not within the offence.
  • Privacy and Electronic Communications Regulations 2003 (PECR). Specific rules on direct marketing and electronic communications.
  • Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000. Permits interception in the course of business for defined purposes (training, quality assurance, evidence of transactions) where reasonable efforts have been made to inform users.

Regulator guidance

The Information Commissioner’s Office (ICO) is the lead regulator for data-protection compliance. The ICO has published guidance on call recording (most recently updated under the UK GDPR framework). Ofcom regulates telecommunications carriers and imposes notice obligations on carriers themselves.

ICO guidance treats call recording for ordinary commercial purposes as lawful where there is a clear, accessible notice at the start of the call, a defined retention period, and access controls. Recording for direct marketing requires explicit consent under PECR.

UK GDPR specifics

The UK retained GDPR after Brexit with minor modifications. The lawful-basis framework (Article 6), transparency duties (Articles 13–14), retention limits (Article 5), and security obligations (Article 32) all apply. The maximum administrative fine in the UK is the higher of £17.5 million or 4% of global annual turnover.

Workplace and business calls

UK workplace recording of calls is permitted under the Telecommunications (Lawful Business Practice) Regulations 2000 for defined business purposes, provided reasonable efforts have been made to inform every user (worker and external caller) that recording may occur. Notification typically takes the form of a written policy for employees and an audible preamble for external callers.

The Information Commissioner’s Employment Practices Code (or its successor) recommends impact assessments before introducing call recording in the workplace, restricted access to recordings, and a defined retention period proportionate to the business purpose.

Cross-border and conflict-of-laws notes

UK GDPR applies extraterritorially to processing of UK residents’ data by overseas organizations targeting the UK market. Transfers of recordings outside the UK require a transfer mechanism (adequacy regulations or international data transfer agreement).

Penalties and remedies

Criminal: unlawful interception under IPA 2016 s. 3 is an offence punishable by up to 2 years’ imprisonment and/or a fine. Data-protection offences under DPA 2018 carry separate penalties.

Civil: data subjects have a right of compensation under UK GDPR Article 82. Recent UK case law has been cautious about non-material damages but does permit them.

Regulatory: the ICO may impose fines up to £17.5 million or 4% of global annual turnover.

Practical guidance

  • For personal recording of your own calls, the IPA does not apply and UK GDPR’s household exemption (Art. 2(2)(c)) generally applies.
  • For business recording, document the lawful basis, give clear pre-call notice, define a retention period, and restrict access.
  • For workplace recording, conduct a data-protection impact assessment (DPIA) and consult employee representatives.
  • For marketing calls, the consent requirements under PECR are stricter than UK GDPR alone.

Related