WFM guideNot legal advice

Contact centre compliance

Q: Do UK contact centres have to record calls?

There is no universal legal obligation to record all calls in the UK. However, call recording is mandatory in specific regulated contexts: FCA-regulated firms processing financial transactions must record relevant communications under MiFID II/COBS 11.8. Consent (under UK GDPR) is required when recording calls unless a legitimate interest basis applies — most operations use an upfront IVR announcement ('this call may be recorded for quality and training purposes') to meet the fair processing notice requirement. For payment card processing, recording must be paused during card number entry to comply with PCI DSS Requirement 3.2.

Q: What are the Ofcom rules for outbound contact centre calling?

Ofcom's persistent misuse rules for outbound calling require: (1) Abandoned call rate of 3% or below, measured over any 24-hour period — if a predictive dialler abandons more than 3% of connected calls, this is a breach. (2) The 2-second rule — a connected call must be connected to an agent within 2 seconds of the call being answered, or a pre-recorded informational message played. (3) No repeated calling — do not call back a customer who has heard an abandoned call message within 72 hours for the same campaign. (4) CLI (Calling Line Identity) — do not withhold CLI; use a real number the customer can call back. Maximum fine for persistent misuse: £2 million.

Q: How does GDPR affect contact centre operations?

UK GDPR affects contact centres in several areas: (1) Call recording — must have a valid lawful basis (legitimate interests is most common for QA purposes) and a fair processing notice (the IVR announcement). Retention periods must be specified and enforced. (2) Subject access requests (SARs) — customers can request their call recordings; operations must be able to locate, retrieve, and provide recordings within one month. (3) Outbound marketing — prior consent required for direct marketing calls (PECR); TPS (Telephone Preference Service) suppression is legally required. (4) Data minimisation — agents should not collect more personal data than necessary for the contact; scripts and ACW guidance should enforce this. (5) Data breach — operational procedures must identify and report breaches to the ICO within 72 hours.

Q: What is PCI DSS and how does it apply to contact centres?

PCI DSS (Payment Card Industry Data Security Standard) applies to any contact centre that processes cardholder data over the phone. Key requirements for contact centres: Requirement 3.2 prohibits storing sensitive authentication data after authorisation — call recordings must be paused or card numbers must be muted during card number entry. Requirement 9.4 addresses physical security of cardholder data environments. Requirement 12.9 covers third-party service provider contracts. For contact centres, the most common implementation is 'pause and resume' recording — the WFM system or ACD automatically pauses recording when the agent indicates payment processing is about to begin, then resumes when complete. Alternatively, DTMF masking allows customers to enter card numbers via keypad tones without the digits being heard by the agent or captured in the recording.

UK contact centres operate under at least four distinct regulatory regimes — and each one has direct operational implications for AHT, ACW, call recording, outbound dialling, and staffing. This guide covers the key obligations, regulators, and WFM impact of each framework.

Operational context only

This guide provides general operational guidance for contact centre and workforce planning teams. It does not constitute legal, regulatory, or professional advice. Always verify requirements applicable to your situation with the appropriate qualified professional before making operational or policy changes.

This page is under editorial review and is not currently indexed by search engines.

UK GDPR / Data Protection Act 2018

Regulator: ICO · Scope: All contact centres processing personal data of UK residents

Key obligations

→Lawful basis for processing (legitimate interests most common for call recording for QA)
→Fair processing notice before recording begins (IVR announcement)
→Retention policy: specify how long recordings and interaction data are kept
→Subject access requests (SARs): locate and provide recordings within 30 days
→Data breach reporting to ICO within 72 hours of becoming aware
→Outbound marketing: PECR consent + TPS suppression required

WFM and operational impact

SAR processing adds back-office workload; breach response requires incident management capacity; PECR suppression reduces outbound contact pool sizes

Maximum penalty

Up to £17.5m or 4% of global annual turnover (whichever higher)

Financial Conduct Authority (FCA)

Regulator: FCA · Scope: Contact centres handling regulated financial products (mortgages, insurance, investments, consumer credit)

Key obligations

→Consumer Duty: evidence that customers receive fair outcomes — scripting, QA, and training must align
→Mandatory call recording for certain regulated communications (MiFID II COBS 11.8)
→Treating Customers Fairly (TCF): complaints handling, vulnerable customer identification
→Conduct of Business rules: suitability, disclosure, and information requirements at point of sale
→Vulnerable customers: FG21/1 guidance requires identification and appropriate handling
→Senior Manager & Certification Regime (SM&CR): named accountability for contact centre operations

WFM and operational impact

Vulnerable customer handling adds AHT; Consumer Duty evidence requirements add compliance ACW; mandatory recording adds storage and retrieval overhead; SM&CR requires documented oversight structure

Maximum penalty

Unlimited (based on severity and harm caused); recent fines include £50m+ for systemic mis-selling

PCI DSS (Payment Card Industry Data Security Standard)

Regulator: Card schemes (Visa, Mastercard) via QSAs · Scope: Contact centres that process, store, or transmit payment card data over the phone

Key obligations

→Requirement 3.2: do not store sensitive authentication data post-authorisation — pause recording during card entry
→Requirement 9.4: physical security controls in cardholder data environment (CDR)
→DTMF masking or pause-and-resume recording implementation for card payments
→Annual PCI DSS assessment (QSA audit or SAQ, depending on volume level)
→Third-party service provider contracts must include PCI DSS obligations

WFM and operational impact

Pause-and-resume recording adds 15–30 seconds to payment AHT; DTMF masking requires IVR integration; CDR physical controls may affect floor layout and access policies

Maximum penalty

Card scheme fines £5,000–100,000+ per month until compliance achieved; potential removal from card scheme

Ofcom persistent misuse rules

Regulator: Ofcom · Scope: Contact centres making outbound voice calls (predictive, power, or preview dialling)

Key obligations

→Abandoned call rate: maximum 3% over any 24-hour period
→2-second rule: agent must connect within 2 seconds of customer answering, or play an informational message
→No repeated calling: do not recall a customer who heard an abandoned call message within 72 hours for same campaign
→CLI (Calling Line Identity): must not withhold; must use a real return number
→Informational message: if call abandoned, message must include caller identity and freephone number

WFM and operational impact

3% abandonment cap constrains dialler pacing — predictive dialler must be configured to stop dialling before breach; 2-second rule requires sufficient agent availability at dial-to-connect ratio; non-compliance risk requires WFM monitoring of abandonment rate in real time

Maximum penalty

Up to £2 million

How compliance obligations inflate AHT and ACW

Compliance AHT uplift — common sources

Identity verification

+30–90 seconds

Security questions, voice biometrics setup, or KBA (knowledge-based authentication) before accessing sensitive data

PCI DSS card payment pause

+15–30 seconds

Pause/resume recording initiation, instruction to customer to use keypad, confirmation of card entry completion

Consumer Duty / FCA disclosure

+60–180 seconds

Mandatory disclosure, suitability scripting, and customer understanding confirmation for regulated products

Vulnerable customer identification

+60–120 seconds

Additional questioning, adapted scripting, and escalation for identified vulnerable customers

Compliance ACW

+30–90 seconds

Mandatory disposition codes, compliance notes, and regulated action records in CRM post-call

GDPR fair processing notice

+15–30 seconds

Recording announcement if not on IVR; consent verification for new outbound contacts

For FCA-regulated contacts, compliance AHT additions can total 3–5 minutes per interaction. This must be included in the Erlang C AHT input — using the non-compliance AHT for staffing calculations systematically under-staffs regulated contact queues.

Compliance questions

Do UK contact centres have to record calls?

No universal obligation, but mandatory in specific contexts: FCA-regulated communications must be recorded under MiFID II. For general QA recording, UK GDPR requires a lawful basis (legitimate interests) and a fair processing notice (IVR announcement). PCI DSS requires recording to be paused during card number entry.

What are the Ofcom rules for outbound contact centre calling?

Abandoned call rate maximum 3% in any 24-hour period; 2-second rule (agent connects within 2 seconds of customer answering or informational message plays); no re-calling within 72 hours for same campaign if customer heard an abandoned call message; CLI must not be withheld. Maximum fine: £2 million.

How does GDPR affect contact centre operations?

GDPR affects call recording (lawful basis + fair processing notice + retention policy), subject access requests (locate and return recordings within 30 days), outbound marketing (PECR consent + TPS suppression), data breach reporting (ICO notification within 72 hours), and data minimisation in agent scripts and ACW.

What is PCI DSS and how does it apply to contact centres?

PCI DSS applies to contact centres processing card payments by phone. Key requirement: call recording must be paused or card number entry muted during payment processing (Requirement 3.2). Common implementations: pause-and-resume recording (adds 15–30 seconds to payment AHT) or DTMF masking (customer enters card via keypad — digits not heard by agent or captured in recording).