Contact centre call recording
Call recording is both a compliance obligation and an operational tool. The compliance side is non-negotiable — regulators require it, GDPR governs it, and PCI DSS constrains what can be captured during payment. The operational side is where the value is: QA, coaching, dispute resolution, and analytics.
Note on legal jurisdiction
This guide describes the regulatory framework applicable in Great Britain (FCA, UK GDPR, Ofcom, PCI DSS). The specific requirements vary by country and sector. Always verify the requirements applicable to your operation with your compliance team before designing or changing your call recording policy. This guide is for operational context, not legal advice.
Regulatory frameworks governing call recording
FCA (Financial Conduct Authority)
Applies to: FCA-authorised firms: banks, insurers, investment firms, mortgage brokers
Recording requirement
Record all regulated conversations — telephone and electronic. This includes sales calls, advice calls, and conversations where regulated activity is discussed.
Retention period
Minimum 5 years; 7 years for MiFID II activities (investment advice, discretionary management)
Key rule
Recordings must be stored in a format that cannot be altered or deleted by the agent. They must be retrievable within a reasonable timeframe for FCA inspection.
PCI DSS (Payment Card Industry Data Security Standard)
Applies to: Any contact centre that takes card payments over the phone
Recording requirement
Cardholder data (16-digit PAN, CVV/CVC, expiry date, full track data) must NOT be recorded. This means the recording system must pause or mute during the payment input phase.
Retention period
Not applicable to paused recording — the requirement is that card data is never captured
Key rule
Pause-on-payment is the standard approach: the recording pauses when the customer reads their card number, then resumes after payment completion. DTMF masking (converting keypad tones to silent or replaced tones) is an alternative for IVR payment collection.
GDPR (UK GDPR and Data Protection Act 2018)
Applies to: All contact centres handling calls with customers in the UK
Recording requirement
A lawful basis must exist for recording (typically legitimate interests or legal obligation). Customers must be informed they are being recorded. Recordings are personal data and subject to all GDPR obligations including subject access requests.
Retention period
No longer than necessary for the stated purpose — document the retention period in the Records of Processing Activities (RoPA)
Key rule
Customers have the right to request a copy of their call recording under UK GDPR (Subject Access Request). The contact centre must be able to retrieve and provide it within 30 days. Customers also have the right to have recordings deleted when the retention period expires or when their purpose no longer applies.
Ofcom (Communications regulator)
Applies to: Telecoms providers and communications networks
Recording requirement
Communications providers must retain certain call data records for national security purposes under the Investigatory Powers Act 2016. Contact centres providing telecoms services have additional record-keeping requirements.
Retention period
12 months minimum for call data records where applicable
Key rule
For contact centres that are primarily customers of telecoms providers (rather than providers themselves), the Ofcom requirements apply to the network — not to the call centre's own recording system.
Operational uses of call recordings
Quality assurance monitoring
QA assessors review recorded calls against the quality scorecard. Recording enables asynchronous QA — assessors review at a time that does not interrupt live operations. Target is typically 3–5 calls per agent per month for standard QA; increased for performance management or development focus.
Coaching and development
Team leaders use recordings in 1:1 coaching sessions — the agent and TL listen together to a specific call and discuss what went well and what could be improved. Recording makes coaching evidence-based rather than anecdote-based.
Dispute resolution
When a customer disputes what was said on a call (was a price quoted, was an agreement made, was a disclosure given), the recording is the primary evidence. The ability to retrieve specific recordings within minutes of a dispute being raised is an operational requirement in regulated sectors.
Training material
Recordings of excellent calls are used as training examples — both for initial onboarding and for refresher training. Anonymised real calls with context are more effective training tools than role-plays or simulations.
Speech analytics
Where speech analytics technology is deployed, recordings are transcribed and analysed at scale — identifying call reason, sentiment, compliance adherence, silence time, and talking-over events. Speech analytics converts the recording archive from a static compliance tool to a live operational intelligence source.
Root cause analysis
When a CSAT score drops, a complaint is received, or a regulatory incident occurs, the recording is the primary investigation tool. WFM teams use recordings alongside AHT and FCR data to identify whether the contact type was handled consistently.
Agent notification and transparency requirements
Under UK GDPR, agents must be informed that their calls are recorded and must understand why. This is typically achieved through the employment contract, staff handbook, and a recorded message at the start of each shift or call. Covert recording of agents without their knowledge is generally not lawful under UK GDPR unless there is a specific investigatory reason.
Employment contract or written notice
Agents should be notified in writing at the start of their employment that all contacts are recorded, the purposes for which recordings are used, and the retention period.
Staff privacy notice
The staff-facing privacy notice should cover call recording as a category of personal data processed about employees — including the lawful basis (legitimate interests or legal obligation) and the retention period.
Monitoring policy
A written policy covering what is monitored, how recordings are accessed, who can access them, and the process for discussing a recording with an agent should be published and accessible to all staff.
Customer notification
Customers must also be notified that calls are recorded — typically via the IVR opening message ('This call may be recorded for quality and training purposes'). This satisfies the GDPR transparency requirement for the customer, not the agent.
Call recording questions
How long must contact centres keep call recordings?
Retention periods depend on the regulatory framework. FCA-regulated firms: 5 years minimum (7 years for MiFID II activities including investment advice). General customer service recordings with no sector-specific regulation: 6–12 months is typical, based on the time window within which most disputes arise. Under UK GDPR, recordings must not be kept longer than necessary for their stated purpose — document the retention period in your Records of Processing Activities. When the retention period expires, recordings must be securely deleted, not simply made inaccessible.
Related guides
Compliance guide
Full regulatory compliance for contact centres
GDPR & data protection
Data subject rights and contact centre obligations
QA and quality management
Using recordings for quality monitoring
Speech analytics guide
Turning recordings into operational intelligence
Coaching guide
Using recordings in 1:1 coaching sessions
QA scorecard design
Designing the scorecard recordings are assessed against
AHT calculator
Calibrate AHT benchmarks using sampled recording analysis
FCR calculator
Measure FCR rates from recordings reviewed in QA