Call Recording and Data Protection

The concept of data protection is not new. Previously known as privacy by design, it’s always been part of data protection law. The EU-wide General Data Protection Regulations (GDPR) came into force on May 25th 2018 and it is now a legal requirement that you should be using those tools, rather than it being left to good practice. GDPR applies to any organisation that collects, stores and processes the personal data of people who live in countries that are members of the EU.

When recording telephone calls, you will likely need to be aware of GDPR regulations because the phone calls it records could contain personally-identifiable information such as names and addresses, and sensitive information such as financial, health, religious and sexuality information.

When considering adding Call Recording to your communications platform there are a number of things to bear in mind.

Data protection features

Making sure that:

– Call recordings can only be accessed by authorised users
– Call recordings are stored in an encrypted format
– Call obfuscation masks out parts of phone calls containing personal data
– Automatically removing calls older than a certain age


Article 6 of the GDPR text states that at least one of the following criteria must be met in order for recording calls (in this case) to be considered lawful:


The individual has given clear consent for you to record their call.


The recording is necessary for a contract you have with the individual, or, because they have asked you to take specific steps before entering into a contract.

Legal obligation

The recording is necessary for you to comply with the law (not including contractual obligations) such as financial regulatory law.

Vital interests

The recording is necessary to protect someone’s life.

Public task

The recording is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

Legitimate interests

The recording is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks)

When an individual does not give consent and there is no legal basis to record personal details in your phone calls, you can use the in-built call masking features of Echo to remove personal information from calls.

A general guide to GDPR is available from the United Kingdom’s Information Commissioner’s Office

Individual rights

GDPR provides the following rights for individuals in relation to any call recording that contains their personal information:

• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• Rights in relation to automated decision-making and profiling

More like this