Skip to content

Do GDPR Rules Cover My Company’s Telephone Conversations in the UK?

Table of Contents

As a business owner, you know the importance of communicating with your customers by phone. Whilst contacting clients by email is becoming more popular, there are times when telephone conversations remain crucial for your business. However, the General Data Protection Regulation (GDPR) and Data Protection Act limit what your organisation can and cannot do with phone calls. This article will explore the extent to which the GDPR sets limits to the carrying out and recording of telephone calls. This will provide your business with information on good practices to avoid a potential fine from the Information Commissioner’s Office (ICO).

The GDPR?

The General Data Protection Regulation is in place to protect the personal information of individuals. Therefore, the GDPR applies to verbal or written communication which contains or records the personal data of others. It applies to all businesses, no matter their size or type. Therefore, it applies to sole traders and public limited companies. 

The GDPR contains a broad definition of personal data, which includes:

  • birth dates;
  • phone numbers;
  • email addresses;
  • copies of ID;
  • health data;
  • photographs; and 
  • home addresses.

The GDPR contains numerous principles, which include the following:

  1. data minimisation – only record as much personal data as truly necessary;
  2. security of personal data – ensure any verbal or written copies of conversations are stored safely to guard against data theft;
  3. storage limitation – delete call records after an appropriate period rather than keeping them indefinitely; and
  4. purpose limitation – only request relevant personal data (for example, there is no need to obtain an individual’s national insurance number for a one-off purchase).

In summary, the GDPR encourages UK businesses to limit the collection of personal data, both verbally and in writing.  It does so because this protects individuals by limiting the amount of personal information in the hands of others, which could be subject to data theft. 

The ICO?

The Information Commissioner’s Office is an independent organisation with the primary purpose of enforcement of data protection rights against UK businesses. It operates by providing in-depth and practical digital guides to GDPR compliance on its website. Additionally, it issues hefty fines of up to £17.5m against UK businesses that fail to comply. The ICO generally does the latter after finding an organisation guilty of GDPR violation following a formal investigation.

Front page of publication
UK Startup Manual

LegalVision’s Startup Manual is essential reading material for any startup founder looking to launch and grow a successful startup.

Download Now
Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

How Do GDPR Rules Affect My Company’s Telephone Conversations With Clients?

As the GDPR covers the processing and recording of any personal information that could allow identification of an individual (known as ‘personally identifiable information’), it covers practically every customer telephone call. This is mainly the case when the call begins with security questions which, by their very nature, involve discussion of personal data. 

Your business should therefore proceed with the belief that all telephone conversations with actual or potential customers come under the remit of the GDPR. It makes no difference if you make them from a landline or a business mobile. This means your organisation needs to avoid a breach of its legal requirements when handling sensitive information.

Carrying out the following actions will help your organisation stay in line with GDPR rules:

  1. inform actual or potential customers of any call recording at the start of the call, the reasons for doing so (which is usually for training purposes);
  2. make customers aware of any potential sharing of information with third parties, which is normal when contacting insurance companies, who tend to share data;
  3. provide staff with training on appropriate telephone conduct and put an audio recording policy in place; and
  4. ensure all audio recordings and written summaries of telephone conversations are stored securely to guard against unauthorised use or theft.

The GDPR also applies to verbal recordings alongside written documentation. This is particularly important with telephone conversations as most UK businesses tend to record them.  

One of the most important things to get right is to inform the customer of any call recording, whether through an automated message or your operator, making this clear at the very start of the call.  Any failure to do so is a likely breach of the GDPR, which the ICO will not tolerate.

Key Takeaways

The ICO is clear that the GDPR applies to personal information that could identify a living person.  So any telephone conversation involving a discussion of an individual’s personal data (including initial security questions) comes under GDPR rules. Your business must, therefore, comply with the GDPR in relation to its business telephone calls to avoid the risk of an ICO fine for GDPR violation.

If you need help ensuring that your business telephone conversations comply with GDPR rules, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.  

Frequently Asked Questions

Does the GDPR apply to all UK businesses?

Yes, the ICO website confirms that the data processing requirements of the GDPR apply equally to all businesses, whether sole traders, SMEs or international companies.

Does it make any difference if I call a customer from my personal mobile?

No.  The critical factor is whether the call relates to your business rather than the nature of the number used to call data subjects.

Register for our free webinars

Protecting and Enforcing Your Brand

Online
Protect your brand from misuse and infringement. Register for our free webinar.
Register Now

Deal Structures 101: Understanding Equity, ASAs and Convertible Notes

Online
As a startup founder, understand your capital raising options. Register for our free webinar today.
Register Now

Common Legal Pitfalls for SaaS and Online Businesses

Online
Protect your online or SaaS business from common legal pitfalls. Register for our free webinar.
Register Now

GDPR Compliance Essentials for SMEs

Online
Ensure our business is compliant with GDPR and build trust with customers. Register for our free webinar.
Register Now
See more webinars >
Thomas Sutherland

Thomas Sutherland

Read all articles by Thomas

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards