Recorded (or voice) data and GDPR

Posted · Add Comment

We have all heard that dreadful message when calling a company “This call is being recorded for training and data quality purposes”.  In truth, normally that’s really only a part of the reason.  The “data quality” part really means that, if we get into a dispute we will call up the recording and use it to determine who is right, the customer or the organisation.  Don’t get me wrong, there’s nothing that’s really incorrect about the message, some people just don’t understand what “data quality purposes” really means and can, therefore, miss out on obtaining information.


So, what is missing here?  From other blogs I have written you may see that the recorded message does not tell you how long the recording will be stored for, or how it will be destroyed.  If this is not mentioned in the recorded message then this should be mentioned in the terms & conditions somewhere.  The mention could only be very straight forward and say that any recording would be deleted within 12 months of the guarantee of that product expiring.


In all probability the data will be stored digitally in a cloud server somewhere, whereas “back in the day” tapes were used, but neither method is a reason to panic.  The important thing is that the organisation has to ensure that it controls access to its recordings and that its policies ensure restricted access so that not everyone has access to the recording, unless you have a very small number of staff – and then that’s just impractical.

Destruction of recorded data can be one of the easiest sets of data to destroy.  If your documentation takes over from your voice data quickly then recordings can be regularly and quickly destroyed, e.g. within a month, or two.


The length of time voice data can be stored is dependent on many things, including whether the personal information within the recording, will play any part in a dispute or legal proceedings.  If you do have a dispute with an organisation, you have every right to make a subject access request, once it is resolved, in the same way as you would any other piece of information.  Once the qualifying period has elapsed, you can request the removal of this information under your right to erasure.


As with everything, GDPR stresses that responses to requirements are appropriate.  In this case it would be to the size and/or sophistication of the organisation and sensitivity of the data collected that would be the determinants of appropriateness.



There is so much more information available, some of it very detailed.  Please look through the other blogs and see if the information you want is provided.

If not, we would be pleased to answer your enquiry through , or visit for more information direct from the ICO.



Leave a Reply

Your email address will not be published. Required fields are marked *