GDPR Compliance for Voice AI: A Practical Guide for UK Businesses
How to use AI voice agents while meeting your UK GDPR obligations.
Why GDPR matters for voice AI
Voice calls are rich with personal data. A single phone conversation might contain a caller's name, address, date of birth, account number, health information, or financial details. When that call is processed by an AI system -- transcribed, analysed, and stored -- the data processing obligations under the UK General Data Protection Regulation (UK GDPR) apply in full. Businesses that deploy voice AI without considering these obligations risk significant fines and reputational damage.
The good news is that GDPR compliance and voice AI are fully compatible. With the right technical measures and processes in place, you can use AI voice agents confidently. This guide covers the practical steps UK businesses need to take.
Legal basis for processing
Before recording or transcribing any call, you need a lawful basis under Article 6 of UK GDPR. For most business calls, the two relevant bases are consent and legitimate interests. Consent means the caller explicitly agrees to the recording, typically via a spoken prompt at the start of the call. Legitimate interests means you have a genuine business reason for processing the data (such as quality assurance or dispute resolution) that does not override the caller's rights.
For regulated industries like financial services or healthcare, consent is usually the safer choice. The caller hears a clear statement that the call will be recorded and processed by an AI system, and they have the option to object. VoxConnect supports configurable consent workflows that play a recording notice at the start of each call and can branch the workflow based on whether the caller consents or opts out.
If you rely on legitimate interests, you must document a Legitimate Interest Assessment (LIA) that weighs your business need against the impact on the individual. This assessment should be reviewed periodically and updated when your processing activities change.
Recording consent workflows
A well-designed consent workflow is brief and clear. At the start of the call, the AI agent states that the call is being recorded and may be processed by automated systems, explains the purpose (for example, quality and training), and offers the caller the option to proceed or request not to be recorded. If the caller opts out, the workflow can either continue without recording or transfer to a human agent.
In VoxConnect, this is implemented as a workflow node at the beginning of the call flow. The consent node plays the notice, listens for the caller's response, and branches accordingly. The consent decision is logged against the call record for audit purposes. This makes it straightforward to demonstrate compliance if queried by the ICO.
Data retention
UK GDPR requires that personal data is not kept longer than necessary for the purpose it was collected. For call recordings and transcripts, you should define a retention period based on your business needs. Common retention periods are 30 days for quality assurance, 90 days for dispute resolution, and up to seven years for financial services where regulatory retention requirements apply.
VoxConnect allows you to configure data retention policies per tenant. Call recordings, transcripts, and analytics data can be set to auto-delete after your chosen period. When data is deleted, it is removed from all storage locations including backups, ensuring genuine erasure rather than just soft deletion.
Data subject access requests
Under UK GDPR, individuals have the right to request a copy of all personal data you hold about them. This includes call recordings, transcripts, and any derived data such as sentiment scores or call summaries. You must respond to a Data Subject Access Request (DSAR) within one calendar month.
To handle DSARs efficiently, you need to be able to search your call data by caller identity -- typically phone number. VoxConnect's call analytics include search and export functionality that lets you locate all calls from a specific number, export transcripts and metadata, and provide the data in a portable format. Having this capability built into the platform saves significant manual effort compared to searching through raw recordings.
Right to erasure
Individuals also have the right to request deletion of their personal data (the "right to be forgotten"). When you receive an erasure request, you must delete the caller's recordings, transcripts, and associated personal data unless you have a legal obligation to retain it (such as a regulatory retention requirement). You must also ensure that any sub-processors who hold copies of the data also delete it.
Sub-processors and data flows
When using a voice AI platform, personal data flows through multiple systems: the SIP provider (Twilio or Telnyx), the media server (LiveKit), the speech-to-text provider, the LLM provider, and the platform's own storage. Each of these is a sub-processor under GDPR, and you need to ensure appropriate data processing agreements (DPAs) are in place with each one.
VoxConnect provides a DPA that covers the platform and its sub-processors. The platform is hosted in the UK and Netherlands, with data processing confined to these jurisdictions by default. You should review the sub-processor list and ensure it aligns with your data protection impact assessment (DPIA). If your business operates in a sector with additional requirements (such as healthcare or legal services), discuss specific configurations with your data protection officer.
Practical checklist
To summarise, UK businesses deploying voice AI should: determine and document their lawful basis for processing call data; implement a consent workflow if relying on consent; define and configure data retention periods; ensure they can respond to DSARs and erasure requests within the required timeframe; review sub-processor DPAs and data flow documentation; conduct a DPIA if processing special category data; and keep their Record of Processing Activities (ROPA) updated to include voice AI processing. With these measures in place, voice AI and GDPR compliance work hand in hand.
GDPR-compliant voice AI, built in
Consent workflows, data retention policies, and DSAR tooling included on all plans.