WFM guideCompliance

GDPR in contact centres

Q: What is the lawful basis for call recording in a contact centre?

Most contact centres rely on legitimate interests (Article 6(1)(f) UK GDPR) as the lawful basis for call recording. Legitimate interests requires a three-part test: the recording serves a genuine purpose (training, quality assurance, dispute resolution); it is necessary — there is no less intrusive way to achieve that purpose; and the interest does not override the customer's rights. Consent is not used in practice because it is difficult to withdraw gracefully mid-call and creates unequal service (recorded vs. unrecorded calls). FCA-regulated firms recording calls under MIFID II / CASS requirements have an additional legal obligation basis (Article 6(1)(c)), which is stronger and does not require a legitimate interests balance. All recordings require a fair processing notice ('calls may be recorded for training and quality purposes') before the call begins — typically in the IVR.

Q: How long should call recordings be retained?

UK GDPR requires data is kept no longer than necessary for the purpose it was collected (the storage limitation principle). For most contact centres, the standard retention periods are: routine customer service calls 90 days–6 months; complaints-related calls through to complaint resolution plus a further 6–12 months (aligned to Financial Ombudsman Service referral window); FCA-regulated calls (MIFID II, CASS) minimum 5 years (mandatory); sales calls where a regulated product was sold minimum 5 years; calls involving a data breach or legal dispute, retain until the dispute is resolved, then minimum 6 years (statute of limitations for contract claims). All retentions beyond 6 months require documented justification in the ROPA (Record of Processing Activities).

Q: What must a contact centre do when it receives a Subject Access Request?

A Subject Access Request (SAR) must be fulfilled within 30 days under UK GDPR (one month from receipt). The response must include all personal data held about the individual: call recordings, screen recordings, call logs, case notes, chat transcripts, written communications, and any profiling or segmentation data. The contact centre must suppress any third-party data from recordings before providing them (if an agent mentioned another customer's details during the call, that portion must be redacted). The SAR should be accompanied by a description of the data categories, the purposes of processing, recipients, and retention periods. Identity verification before responding is required but must use the minimum data necessary to confirm identity — a GDPR SAR does not permit a full authentication challenge.

Contact centres process personal data at scale: call recordings, screen recordings, call logs, interaction notes, profiling data, payment data. UK GDPR imposes obligations at every step — from the ID&V check that opens the call to the retention policy that determines when the recording is deleted. This guide covers what matters operationally.

Note on legal jurisdiction

This guide describes UK GDPR and data protection obligations as they apply to contact centres operating in Great Britain. Data protection law varies by jurisdiction. Always verify the requirements applicable to your operation with your Data Protection Officer or legal counsel before changing data handling practices. This guide is for operational context, not legal advice.

This page is under editorial review and is not currently indexed by search engines.

Call recording: lawful basis

Lawful basis	When it applies	Practical implication
Legitimate interests (Art 6(1)(f))	General customer service calls recorded for training, QA, and dispute resolution. Must pass LIA (Legitimate Interests Assessment). Most common basis for non-regulated calls.	LIA must be documented in ROPA. Fair processing notice required in IVR before call begins. Retention must be proportionate. Right to object applies (customers can ask you to stop recording — you must accommodate if possible).
Legal obligation (Art 6(1)(c))	FCA-regulated calls recorded under MIFID II, CASS, or other regulatory requirement. The regulation mandates the recording — you have no discretion.	Minimum 5-year retention (MIFID II). Right to object does not apply. Must be stored in uneditable format. Accessible to regulator on demand. This basis is narrower but stronger — no LIA needed.
Consent (Art 6(1)(a))	Rarely used in practice for call recording. Theoretical option but creates operational problems: consent can be withdrawn mid-call, creates two-tier service.	Not recommended. If used, withdrawal mechanism must be granular and workable. Unrecorded calls create QA coverage gaps and dispute resolution problems. Most DPOs advise legitimate interests or legal obligation instead.
Contract performance (Art 6(1)(b))	Recording is strictly necessary to perform the contract with the customer — e.g. confirming a verbal order, processing a regulated sale where a voice recording is part of the contract record.	Narrow scope — 'necessary' is interpreted strictly. Can apply to specific call types (verbal contract completions) but not to routine service calls. Document which call categories this covers.

Fair processing notice requirement: UK GDPR requires customers to be told their call may be recorded before processing begins. The IVR announcement ('calls may be recorded for training and quality purposes') satisfies this if it plays before any data is captured. It is not sufficient if the announcement plays after the recording starts. Your privacy notice (website and call IVR) must also describe: what data is recorded, the lawful basis, how long it is kept, and how customers can exercise their rights.

Data retention policy

Data type	Standard retention	Regulated minimum	Trigger for extension
Routine service call recordings	90 days – 6 months	N/A	Complaint or dispute — extend to complaint resolution + 6 months
Complaints call recordings	Complaint resolution + 6–12 months	N/A (FOS referral window is 6 months from final response)	FOS referral or legal proceedings — extend to resolution
MIFID II regulated calls (investment advice, execution)	5 years (mandatory minimum)	5 years under MIFID II / 7 years for pension-related sales	FCA investigation or customer dispute — retain until resolved
Sales calls (regulated products)	5 years	5 years (FCA)	Mis-selling complaint — retain until resolved + 6 years (limitation)
Screen recordings	Same as associated call recording	Same regulatory minimum as call	As per associated call
Chat and email transcripts	6–12 months	Same as voice for regulated contact types	Dispute, complaint, or SAR request
Call log data (metadata: date, time, duration, CLI)	12 months	As above for regulated calls	Dispute or SAR — retain until resolved
Payment card data (DTMF tones)	Must NOT be recorded at all (PCI-DSS)	Prohibited	DTMF pause required during card entry in all telephony systems

All retention periods beyond 6 months require documented justification in the ROPA. Auto-deletion must be configured in your telephony or call recording platform — do not rely on manual deletion processes.

ID&V design: authentication vs. data minimisation

Minimum necessary authentication

UK GDPR's data minimisation principle applies to the ID&V challenge itself. Asking for date of birth + postcode + last four of account number + mother's maiden name + memorable word in a single authentication sequence collects far more data than is necessary to confirm identity. The ICO expects ID&V processes to use the minimum number of data points needed to achieve a reasonable confidence level. Tiered authentication — basic data for low-risk transactions, additional data only for high-risk — is the GDPR-aligned approach.

Biometric and voice authentication

Voice biometric authentication (VBA) processes biometric data (a special category under Article 9 UK GDPR). Processing special category data requires both a lawful basis (Article 6) and a special category condition (Article 9(2)). For VBA, explicit consent (Article 9(2)(a)) is the most practical condition — which requires a clear opt-in, the ability to opt out without service degradation, and a fallback authentication method. A VBA programme that has no documented Article 9 condition is a significant regulatory risk.

Knowledge-based authentication (KBA) vulnerabilities

Knowledge-based authentication (security questions, memorable words) creates its own data protection risks: the answers are personal data that must be stored, protected, and eventually deleted. A data breach of KBA answers creates a persistent risk because — unlike passwords — answers to 'mother's maiden name' cannot be changed. Where possible, reduce reliance on static KBA data and move toward dynamic or behavioural authentication. Any KBA data stored must be in the ROPA and subject to the same access controls and retention limits as other personal data.

Third-party callers and power of attorney

Handling calls from authorised third parties (family members, carers, power of attorney holders) requires a documented process. Sharing customer personal data with an unverified third party is a data breach. The contact centre must have a clear process for: registering an authorised third party (with the account holder's consent), authenticating the third party on subsequent calls, and confirming that the authority remains valid. For FCA-regulated accounts, third-party mandates have additional requirements under the FCA's consumer understanding and vulnerability frameworks.

Subject Access Request (SAR) handling

SAR process: 30-day obligation timeline

Day 0

Receipt

SAR is received. The 30-day clock starts from receipt regardless of channel (verbal, written, email, online form). Verify identity of the requester using minimum-necessary data. Acknowledge receipt in writing.

Days 1–5

Scope and locate

Scope all personal data held. In a contact centre context: call recordings (audio and screen), call logs, case/ticket notes, chat and email transcripts, CRM records, quality monitoring data, wrap codes, any profiling or segmentation data. Log all systems that hold data about this individual.

Days 5–15

Retrieve and review

Retrieve data from all systems. Review for third-party data: if any recording contains details about another person, that portion must be redacted before disclosure. This is the most time-consuming step for call recordings.

Days 15–25

Compile and redact

Compile the response package. Apply redactions. Prepare the covering letter describing: data categories provided, purposes of processing, lawful basis, recipients, retention periods, and the right to lodge a complaint with the ICO.

Days 25–30

Respond

Respond to the individual by the deadline. Extensions beyond 30 days are permitted for complex or numerous requests but must be communicated to the requester within the initial 30-day window with the reason for extension (maximum 2-month extension).

ICO and FCA regulatory overlap

FCA-regulated contact centres operate under two overlapping regulatory frameworks: UK GDPR (enforced by the ICO) and FCA requirements (Consumer Duty, MIFID II, CASS, DISP). These frameworks have distinct requirements that sometimes create tension.

Call recording retention

GDPR/ICO: No longer than necessary. ICO expects deletion when purpose is served. Storing all calls for 5 years requires documented justification for non-regulated calls.

FCA: MIFID II and CASS require minimum 5-year retention for regulated calls. FCA may request recordings during an investigation or thematic review.

Resolution: Tiered retention policy: apply regulatory minimum (5yr) to regulated call types; 90-day standard to routine service calls. Document both policies in ROPA.

Data subject rights (erasure)

GDPR/ICO: Right to erasure ('right to be forgotten'): individuals can request deletion of personal data where there is no legitimate purpose for retention.

FCA: FCA requires records to be retained for specified minimum periods. An erasure request for a regulated call recording must be refused for the regulatory retention period.

Resolution: Process erasure requests against a retention flag: if the record is within a mandatory retention period, document the refusal and the legal obligation basis. This is a valid exemption under UK GDPR Schedule 2, Part 1.

Vulnerable customer obligations

GDPR/ICO: Data minimisation applies to vulnerability data: knowing a customer has a mental health condition is sensitive personal data (special category) and must be handled accordingly.

FCA: Consumer Duty (and predecessor CONC/MCOB) requires identifying and accommodating vulnerable customers. This requires recording and using vulnerability information to adjust service.

Resolution: Special category (Article 9) processing condition required for vulnerability flags. Consent or substantial public interest (Schedule 1, para 8 DPA 2018). Vulnerability data must be access-controlled, not visible to all agents, and subject to stricter retention limits.

PCI-DSS (payment data)

GDPR/ICO: Payment card data is personal data under GDPR. A PCI-DSS breach is also likely a GDPR breach reportable to ICO within 72 hours if risk to individuals is significant.

FCA: FCA firms handling payment cards are also subject to PCI-DSS. FCA supervisory teams consider PCI compliance failures as operational risk events.

Resolution: DTMF pause during card entry (telephony system must suspend recording during card entry). No card data in case notes. Agent desktop must not display full card numbers. Test annually.

Four common contact centre data protection failures

Excessive retention

How it happens: All call recordings retained indefinitely with no deletion schedule. Typically because the recording platform was configured in 2015 and nobody set up auto-deletion.

Risk: ICO investigation; storage cost; SAR scope balloons (must respond with 10 years of recordings); data breach impact increases.

Fix: Audit current platform retention settings. Configure auto-deletion by call type and date. Document in ROPA.

Weak ID&V allowing social engineering

How it happens: ID&V process uses easily-researched data (full name, postcode, date of birth) that is available on social media or through data brokers. Fraudsters impersonate customers.

Risk: GDPR breach (disclosure to unauthorised third party is a breach reportable to ICO within 72 hours if high risk); fraud losses; ICO fine; FCA supervisory action.

Fix: Add a dynamic element to ID&V (one-time code, recent transaction verification). Introduce voice biometrics for high-risk account types. Track failed authentication attempts.

No erasure mechanism

How it happens: Responding to a subject erasure request by manually asking the IT team to delete records. No documented process; requests are lost or delayed.

Risk: ICO enforcement if erasure requests are not actioned within one month. Fine up to 4% of global turnover or £17.5M (UK GDPR maximum).

Fix: Configure erasure capability in all customer data systems. Build a tracked request process with a 30-day SLA. Document which records cannot be erased and why.

Uncontrolled screen recording

How it happens: Screen recording captures agent desktop throughout the call — including when agents handle other customers' accounts in the same session, or when agents briefly access HR or payroll systems.

Risk: Recording and potentially breaching other customers' data; breaching employee personal data under GDPR (agents are data subjects too).

Fix: Configure screen recording to pause when agent navigates to non-customer-data applications. Restrict screen recording to call duration only. Include screen recordings in SAR scope.

GDPR and data protection questions

What is the lawful basis for call recording in a contact centre?

Most contact centres use legitimate interests (Art 6(1)(f)) for general service calls. FCA-regulated calls use legal obligation (Art 6(1)(c)) under MIFID II or CASS — which is stronger and does not require a legitimate interests balance. Consent is rarely used because it creates withdrawal problems and two-tier service. All recording requires a fair processing notice in the IVR before the call begins.

How long should call recordings be retained?

Routine service calls: 90 days–6 months. Complaints-related: through resolution + 6–12 months. MIFID II regulated calls: 5 years mandatory minimum. Sales calls for regulated products: 5 years. Retentions beyond 6 months need documented justification in the ROPA. Payment card data (DTMF tones) must not be recorded at all.

What must a contact centre do when it receives a Subject Access Request?

Respond within 30 days. Include all personal data: call recordings, screen recordings, call logs, case notes, chat transcripts, CRM records, profiling data. Redact third-party data before providing recordings. Include a covering letter describing data categories, purposes, lawful basis, retention periods, and rights (including the right to complain to the ICO).