UK GDPR call transcription: a clear guide

8 min read · LucroVox UK · Updated May 2026

If you’re a UK business that transcribes or summarizes customer calls — for quality review, lead capture, staff training, or because your phone agent creates call notes — UK GDPR applies. The good news is that compliance is straightforward once you know what to do. The bad news is that most small businesses don’t do it correctly, and post-2025 enforcement is meaningfully tighter.

This is a practical guide. It’s not legal advice; if anything is unusual about your setup, speak to a UK data protection solicitor. But for the standard case — you transcribe or summarize inbound customer calls answered by a human or an automated phone agent — this is what you need.

The legal framework, in three sentences

Call transcripts, summaries, and metadata contain personal data, so the UK GDPR and the Data Protection Act 2018 apply. As of 5 February 2026, certain provisions were modernised by the Data (Use and Access) Act 2025, which clarified lawful bases for processing, tightened automated-decision-making rules, and increased PECR enforcement.

The Information Commissioner’s Office (ICO) is the regulator. They publish guidance for small businesses (worth bookmarking) and they investigate complaints from individuals.

The five things you need to have in place

1. A lawful basis

For transcribing or summarizing inbound business calls, the usual lawful basis is legitimate interests (Article 6(1)(f)) — specifically: the interest of running and improving your business. You should write down a short Legitimate Interests Assessment (LIA) explaining why the transcription or summary is necessary, proportionate, and what safeguards you have. Keep it on file; you don’t need to publish it.

For sensitive sectors (medical, financial advice), legitimate interests may not be enough. Get specific advice.

2. Up-front notice to the caller

UK GDPR is strict that processing must be transparent. The standard approach is a short notice at the start of every call:

That single sentence covers two obligations:

• The transcription disclosure — you’ve told the caller the call may be transcribed or summarized and given them the chance to hang up.
• The automation disclosure — use wording that is transparent without making the opening feel robotic.

3. A privacy notice that explains it

On your website (the same notice that covers analytics, contact forms, etc.), explain:

• That you transcribe or summarize calls.
• The lawful basis (legitimate interests).
• How long you keep transcripts and summaries (3 months is a reasonable default).
• Who else processes them (your sub-processors — e.g., LucroVox, Twilio, OpenAI).
• How to exercise data subject rights (access, deletion, etc.).

The LucroVox UK Privacy Notice is a good example of structure: /uk/privacy.html.

4. A retention policy

UK GDPR requires that you not keep personal data longer than necessary. For inbound call transcripts and summaries, common retention periods are:

• 3–6 months — for purely operational call review.
• 12 months — if you also use them for staff coaching and quality.
• 6 years — only if there is a clear legal or regulatory reason (financial services, certain regulated trades).

Pick a default, write it down, and make sure your provider actually deletes after that period. LucroVox sets a default of 12 months and lets you configure it lower.

5. Data subject rights handling

Anyone whose personal data appears in a transcript or summary has the right to:

• A copy of the transcript or summary (Subject Access Request).
• Erasure, where the lawful basis no longer applies.
• Object to the processing.

Set up a single email alias (e.g., privacy@lucrovox.com) that goes to whoever handles these requests. Respond within one calendar month. Document each request and what you did.

If you use an AI receptionist (like LucroVox)

The setup gets two specific extras:

• The AI is a sub-processor. If LucroVox handles your calls, we’re a processor and you’re the controller. We sign a UK GDPR Data Processing Agreement (DPA) with you. We have one ready — ask privacy@lucrovox.com.
• Onward sub-processors. LucroVox uses sub-processors like Twilio (telephony) and AI model providers (for transcription/agent inference). Our public sub-processor list is published, and we notify customers 30 days before adding new ones.

The DUAA 2025 changes worth knowing

The Data (Use and Access) Act 2025, in force from 5 February 2026, is largely modernisation rather than upheaval. The most relevant points for businesses transcribing or summarizing calls:

• Lawful bases were clarified, with new recognised legitimate-interest scenarios.
• Automated decision-making rules tightened — if your AI makes a decision with legal or similarly significant effect on the caller, additional safeguards apply.
• PECR enforcement (cookie banners, electronic marketing) got teeth: bigger fines, faster action.
• Subject Access Request handling clarified, including reasonable refusal of clearly excessive requests.

For most small UK businesses transcribing or summarizing inbound calls, none of these are dramatic — if you had a tidy UK GDPR posture in 2024, you have a tidy posture in 2026.

The five-minute compliance checklist

• Disclosure at the start of every call that may be transcribed or summarized.
• Privacy notice on the website that mentions calls.
• Retention period documented and enforced.
• DPA in place with any provider that transcribes, summarizes, or processes calls on your behalf.
• An email address that accepts data subject rights requests, with an SLA of one month.

That’s the lot. If anything in this list isn’t in place at your business, we recommend fixing it this week. It’s usually less than a half-day of work.