How to Set Up VoIP Call Recording for Business Compliance

Call recording has evolved from a nice-to-have feature to an essential compliance tool for UK businesses. Whether you’re operating in financial services, healthcare, or customer-facing retail, the ability to record, store, and retrieve VoIP calls is now fundamental to meeting your regulatory obligations. With the FCA, GDPR, and Ofcom all imposing specific requirements on how businesses handle telephone communications, getting your call recording setup right isn’t just about best practice — it’s about staying on the right side of the law.

In this comprehensive guide, we’ll walk you through everything you need to know about setting up VoIP call recording for business compliance in the UK. From understanding the legal landscape to choosing the right recording solution, configuring storage policies, and training your staff, this article covers it all.

Why Call Recording Matters for UK Businesses

Call recording isn’t simply about keeping tabs on employees or monitoring call quality — though those are certainly valuable benefits. For UK organisations, the primary driver behind call recording is regulatory compliance. Financial institutions, insurance providers, telecoms companies, and healthcare organisations all face stringent requirements to maintain accurate records of their telephone communications.

Beyond compliance, recorded calls serve as powerful tools for dispute resolution, staff training, quality assurance, and customer experience improvement. When a customer claims they were promised a particular deal or a staff member needs coaching on their telephone manner, having a reliable recording to refer back to is invaluable.

The shift to VoIP telephony has made call recording significantly more accessible and affordable than it was in the days of analogue phone systems. Modern cloud-based VoIP platforms can integrate call recording directly into their service, eliminating the need for expensive third-party hardware. However, this ease of implementation doesn’t remove the responsibility to configure recording correctly and in full compliance with UK law.

UK Legal Framework for Call Recording

The UK’s legal framework for call recording is shaped by several overlapping regulations. Understanding each one is essential before you configure your first recording policy.

FCA Requirements (Financial Conduct Authority)

The FCA’s requirements represent the most stringent call recording obligations in the UK. Under MiFID II (Markets in Financial Instruments Directive II) and the FCA’s own Conduct of Business Sourcebook (COBS), firms that carry out regulated financial activities are required to record all telephone conversations and electronic communications that relate to — or are intended to relate to — the reception, transmission, and execution of client orders.

Key FCA recording obligations include:

• All relevant calls must be recorded — this includes calls on personal devices if they relate to regulated business
• Recordings must be retrievable — the FCA can request recordings at any time, and firms must be able to locate and produce them promptly
• Six-year retention minimum — recordings must be stored securely for at least six years, with some categories requiring longer retention
• Quality standards — recordings must be of sufficient quality to be intelligible and usable as evidence
• Tamper-proof storage — recordings must be stored in a manner that prevents alteration or deletion

GDPR Considerations

The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 impose significant obligations on any organisation that records telephone calls. Call recordings contain personal data — the voices, names, account details, and other information discussed during calls — and must therefore be handled in accordance with data protection principles.

Under UK GDPR, you must establish a lawful basis for recording calls. The most commonly relied-upon bases are:

• Legitimate interests — the organisation has a legitimate business interest in recording calls (e.g., quality assurance, training, dispute resolution) that is not overridden by the individual’s rights
• Legal obligation — the organisation is required by law to record calls (e.g., FCA-regulated firms)
• Consent — the individual has given clear, informed consent to the recording (though this is generally the weakest basis, as consent can be withdrawn)
• Contract performance — recording is necessary to fulfil a contractual obligation

Additional GDPR obligations include maintaining records of processing activities, conducting a Data Protection Impact Assessment (DPIA) where recording is likely to result in a high risk to individuals, and ensuring that callers can exercise their rights — including the right of access to their recordings and, in certain circumstances, the right to erasure.

Ofcom Regulations

Ofcom’s regulations, particularly the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (often referred to as the LBP Regulations), permit businesses to record calls without the explicit consent of the other party, provided specific conditions are met. These include recording for the purpose of:

• Establishing the existence of facts relevant to the business
• Ascertaining compliance with regulatory or self-regulatory practices
• Ensuring the effective operation of the telecommunications system
• Monitoring standards of service and staff training
• Preventing or detecting crime
• Investigating unauthorised use of the telecommunications system

It’s important to note that the LBP Regulations only apply to calls made on the business’s own telecommunications system. Recording calls on employees’ personal devices falls outside these provisions and requires a different legal approach.

Types of VoIP Call Recording

Modern VoIP systems offer several approaches to call recording, each suited to different compliance needs and business scenarios. Understanding the differences will help you choose the right configuration for your organisation.

Automatic (Always-On) Recording

Automatic recording captures every single call that passes through your VoIP system, with no manual intervention required. This is the default choice for FCA-regulated firms, debt collection agencies, and any organisation where the risk of missing a recordable call is too high to accept.

Advantages: Complete coverage with zero reliance on staff to remember to start recording. Ensures no regulated conversation is ever missed. Simplifies compliance auditing.

Disadvantages: Generates very large volumes of recorded data, increasing storage costs. May record non-business calls (e.g., personal calls made on business lines), raising additional GDPR considerations.

On-Demand Recording

On-demand recording gives individual users the ability to start and stop recording during a call, typically by pressing a button on their desk phone or clicking an option in their softphone application. This approach offers maximum flexibility but introduces significant compliance risk.

Advantages: Reduces storage requirements. Allows staff to avoid recording sensitive segments (e.g., payment card details, as required by PCI DSS). Gives staff control over the recording process.

Disadvantages: Relies entirely on staff remembering to activate recording. Creates gaps in the compliance record. Not suitable for FCA-regulated environments where all relevant calls must be captured.

Selective (Policy-Based) Recording

Selective recording uses predefined rules to determine which calls are recorded. Rules can be based on the department, individual user, phone number, time of day, call direction (inbound/outbound), or other criteria. This strikes a balance between comprehensive coverage and storage efficiency.

Advantages: Targets recording where it’s needed most. Reduces storage volumes compared to always-on recording. Can be tailored to match specific regulatory requirements.

Disadvantages: Requires careful policy design to avoid gaps. Needs ongoing maintenance as business needs change. May miss unexpected calls that fall outside the predefined rules.

Staff Notification Requirements

Informing your staff and callers about call recording is both a legal obligation and a matter of good business practice. The notification requirements differ depending on whether you are informing your own employees or external callers.

Notifying Your Employees

Under UK employment law and GDPR, employers must inform staff that their calls may be recorded. This is typically achieved through:

• Employment contracts — include a clause explicitly stating that business calls may be monitored and recorded
• Employee handbook/policy — provide a detailed call recording policy that explains what is recorded, why, how recordings are stored, who has access, and how long they are retained
• Training — ensure all staff receive training on the call recording policy during onboarding and at regular intervals thereafter
• Privacy notice — your internal privacy notice should reference call recording as a processing activity

Notifying External Callers

Best practice — and in many scenarios a legal requirement — is to notify external callers that their call is being recorded. This is most commonly achieved through an automated announcement played at the start of the call, such as: “This call may be recorded for training, quality assurance, and regulatory compliance purposes.”

The notification should be clear, concise, and played before the call connects to a live agent. If your VoIP system supports it, consider offering callers the option to request that recording be paused for sensitive information — this is particularly relevant for PCI DSS compliance when taking payment card details over the phone.

Storage and Retention Policies

Call recording generates significant volumes of data, and managing that data responsibly is a core compliance requirement. Your storage and retention policies must balance regulatory obligations, data protection principles, and practical cost considerations.

Retention Periods by Sector

Storage Best Practices

Regardless of your sector, several storage principles apply universally:

• Encryption at rest and in transit — all recordings must be encrypted using strong, current encryption standards (AES-256 is the industry standard)
• Access controls — implement role-based access so that only authorised personnel can listen to, download, or delete recordings
• Tamper-proof audit trails — maintain logs of who accessed which recordings, when, and what actions they performed
• Geographic data residency — under UK GDPR, you must know where your recordings are stored. If using cloud storage, ensure your provider offers UK or EEA-based data centres
• Automated deletion — configure your system to automatically purge recordings once they exceed their required retention period, in line with GDPR’s data minimisation principle
• Backup and disaster recovery — ensure recordings are included in your business continuity plans, with regular backups and tested recovery procedures

Storage Cost Considerations

The volume of data generated by call recording can be substantial. A typical business phone call recorded in G.711 format generates approximately 60–80 MB per hour of audio. Compressed formats such as G.729 or Opus can reduce this to 5–15 MB per hour without significant loss of intelligibility.

For a business with 50 agents averaging 4 hours of call time per day, this translates to roughly:

• G.711 (uncompressed): 12–16 GB per day, approximately 3–4 TB per year
• G.729/Opus (compressed): 1–3 GB per day, approximately 250–750 GB per year

At current UK cloud storage rates of approximately £0.02–£0.05 per GB per month, annual storage costs for compressed recordings would range from £60 to £450 for this scenario. Uncompressed recordings would cost £720 to £2,400 annually. When factoring in the six-year FCA retention requirement, total storage costs can accumulate significantly.

PCI DSS Considerations

If your business takes payment card details over the phone — which many UK businesses do — you must comply with the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS has very specific rules about call recording that often conflict with other compliance requirements.

To reconcile call recording with PCI DSS, UK businesses typically implement one or more of the following approaches:

• Pause and resume — automatically or manually pause recording when the agent begins taking payment details, then resume once the transaction is complete. Most modern VoIP platforms support this natively
• DTMF masking — when the customer enters card details using their phone keypad (DTMF tones), the recording system masks or suppresses the tones so the card number cannot be reconstructed from the recording
• Secure payment IVR — route the payment portion of the call through a secure IVR system that collects card details without agent involvement, keeping the recording completely free of payment data
• Agent-assisted payment platforms — use a specialist payment platform that keeps the agent on the line while the customer enters card details through a separate secure channel

The pause-and-resume approach is the most common in UK businesses. However, if you are also subject to FCA recording requirements, you must ensure that the pause is limited strictly to the payment segment and that all other conversation is captured.

Compliance Frameworks and Standards

Beyond the core regulations, several industry frameworks and standards provide additional guidance on call recording best practices. Aligning your recording setup with these frameworks demonstrates a mature compliance posture and can simplify audits.

ISO 27001 (Information Security Management)

ISO 27001 provides a comprehensive framework for managing information security risks, including those related to call recordings. If your organisation is ISO 27001 certified — or working towards certification — your call recording system should be included in your Information Security Management System (ISMS) and subject to regular risk assessments.

Cyber Essentials / Cyber Essentials Plus

While Cyber Essentials does not specifically address call recording, the technical security controls it mandates (firewalls, access control, patch management, malware protection, secure configuration) apply to the systems that store and process your recordings.

FCA Senior Managers and Certification Regime (SM&CR)

Under SM&CR, senior managers in FCA-regulated firms are personally accountable for the areas of business they oversee. This includes ensuring that call recording systems are properly configured, maintained, and compliant. A failure in call recording could result in personal liability for the responsible senior manager.

Recording Solutions for Different VoIP Platforms

The call recording landscape for UK businesses varies significantly depending on your VoIP platform. Here’s what you need to know about the most popular options.

Microsoft Teams

Microsoft Teams offers native call recording capabilities, but the compliance features vary by licence tier. For full compliance recording — the kind that captures every call automatically with tamper-proof storage — you’ll typically need a Microsoft 365 E5 licence or the Microsoft 365 E5 Compliance add-on, which starts at approximately £30–£50 per user per month.

Third-party compliance recording solutions from vendors such as ASC Technologies, Dubber, and Verint integrate with Teams via Microsoft’s compliance recording APIs, offering additional features such as AI-powered analytics, advanced search, and custom retention policies.

3CX

3CX includes built-in call recording at no additional cost across all licence tiers. Recordings can be configured per extension, ring group, or call queue, with options for automatic, on-demand, or policy-based recording. Storage can be local or cloud-based, and 3CX supports integration with external compliance platforms for long-term archival.

Hosted VoIP / UCaaS Platforms

Cloud-hosted VoIP providers such as RingCentral, 8x8, Vonage, and Gamma typically include call recording as a standard or add-on feature. When evaluating hosted platforms, ensure the provider can confirm:

• UK-based data storage (or at minimum, EEA-based)
• Configurable retention periods that meet your regulatory requirements
• Tamper-proof storage with audit trails
• GDPR-compliant data processing agreements
• PCI DSS pause-and-resume or DTMF masking capabilities
• API access for integration with your compliance or CRM systems

On-Premises SIP/PBX Systems

For organisations running on-premises VoIP infrastructure (e.g., Asterisk, FreeSWITCH, or Cisco Unified Communications Manager), call recording is typically handled through dedicated recording servers or SBC (Session Border Controller) integration. While this approach offers maximum control over your data, it also places full responsibility for security, storage, and compliance on your internal IT team.

Quality Assurance and Training Uses

While compliance is the primary driver for call recording, the recordings themselves are a treasure trove of business intelligence when used for quality assurance and training purposes.

Call Scoring and Evaluation

Many UK businesses implement formal call scoring frameworks, where supervisors review a sample of recorded calls against predefined quality criteria. Typical scoring dimensions include:

• Greeting and identification — did the agent identify themselves and the company correctly?
• Needs assessment — did the agent ask appropriate questions to understand the caller’s requirements?
• Product/service knowledge — did the agent provide accurate information?
• Compliance adherence — did the agent follow required scripts and disclosures?
• Resolution and follow-up — was the caller’s issue resolved, and were any next steps clearly communicated?
• Tone and professionalism — was the agent courteous and professional throughout?

AI-Powered Analytics

Modern call recording platforms increasingly incorporate AI and machine learning capabilities to analyse recordings at scale. These tools can automatically detect sentiment, identify keywords and phrases, flag compliance risks, and surface calls that warrant human review. For UK businesses handling thousands of calls per day, AI analytics can transform call recording from a passive compliance tool into an active quality improvement engine.

Implementation Steps: Setting Up VoIP Call Recording

Implementing VoIP call recording for compliance is a multi-stage project that requires input from IT, legal, compliance, HR, and operations teams. Below is a step-by-step implementation framework tailored for UK businesses.

Step 1: Conduct a Compliance Assessment

Begin by identifying all regulatory obligations that apply to your business. Engage your compliance team or external legal advisors to map out exactly which calls need to be recorded, for how long, and under what conditions. Document the lawful basis for recording under GDPR, and assess whether a Data Protection Impact Assessment (DPIA) is required.

Key questions to answer at this stage:

• Which regulations apply to our business (FCA, PCI DSS, Ofcom, sector-specific)?
• Which departments, roles, or phone lines must be recorded?
• What is the required retention period for each category of recording?
• Do we take payment card details over the phone?
• Where must recordings be stored geographically?
• Who needs access to recordings, and under what circumstances?

Step 2: Select Your Recording Solution

Based on your compliance assessment, evaluate recording solutions that meet your specific requirements. Consider whether your existing VoIP platform’s built-in recording capabilities are sufficient, or whether you need a third-party compliance recording solution.

Key evaluation criteria include:

• Support for your required recording mode (automatic, on-demand, selective)
• PCI DSS pause-and-resume or DTMF masking capabilities
• Configurable retention policies with automated deletion
• UK/EEA data residency options
• Encryption standards (AES-256 at rest, TLS 1.2+ in transit)
• Role-based access controls and audit logging
• Search and retrieval capabilities (for responding to FCA requests or GDPR subject access requests)
• Integration with your existing CRM, compliance, or workforce management systems
• Scalability and pricing model (per-user, per-channel, or storage-based)

Step 3: Configure Recording Policies

With your solution selected and deployed, configure the recording policies that will govern which calls are captured and how they are handled. This typically involves:

• Defining recording rules per department, user group, or phone number range
• Configuring automatic recording triggers (e.g., all inbound calls to the sales team, all outbound calls from the compliance department)
• Setting up PCI DSS pause-and-resume triggers for payment processing
• Establishing retention policies with automated purge schedules
• Configuring storage locations and encryption settings
• Setting up role-based access permissions
• Enabling audit logging for all recording-related actions

Step 4: Implement Caller Notifications

Configure your VoIP system to play an automated recording notification at the start of each call. Work with your compliance and legal teams to draft appropriate notification scripts that satisfy both GDPR transparency requirements and Ofcom guidelines.

Ensure notifications are played consistently across all call paths — including direct dial numbers, IVR menus, call queues, and transferred calls. Test thoroughly to confirm that no call path bypasses the notification.

Step 5: Update Policies and Train Staff

Update your employment contracts, employee handbook, privacy notices (both internal and external), and data processing records to reflect the new call recording arrangements. Conduct training sessions with all affected staff, covering:

• What is being recorded and why
• How to use on-demand or pause-and-resume controls (if applicable)
• What to do if a caller objects to being recorded
• How to handle GDPR subject access requests for call recordings
• The consequences of attempting to circumvent recording (e.g., using personal devices for business calls)

Step 6: Test, Audit, and Go Live

Before going live, conduct thorough testing to verify that:

• All designated calls are being recorded correctly
• Recording quality is sufficient for compliance purposes
• Caller notifications play correctly on all call paths
• PCI DSS pause-and-resume functions as expected
• Recordings are being stored in the correct location with proper encryption
• Retention and auto-deletion policies are working
• Search and retrieval functions return accurate results
• Access controls and audit logs are functioning

After go-live, schedule regular compliance audits — at least quarterly — to verify ongoing compliance and address any issues that arise.

Estimated Implementation Costs for UK Businesses

The cost of implementing VoIP call recording varies widely depending on the size of your organisation, your chosen platform, and the complexity of your compliance requirements. Below are typical cost ranges for UK businesses.

Common Mistakes to Avoid

Based on our experience helping UK businesses implement compliant call recording, here are the most common pitfalls we see:

• Assuming all VoIP recording is compliant by default — built-in recording features may not meet FCA or PCI DSS requirements without additional configuration
• Forgetting about mobile and remote workers — with hybrid working now standard in the UK, ensure your recording solution covers softphone and mobile app calls, not just desk phones
• Storing recordings outside the UK/EEA — this can create significant GDPR compliance issues, particularly post-Brexit
• Not testing retention policies — automated deletion sounds straightforward, but bugs in retention logic can result in either premature deletion (compliance risk) or indefinite retention (GDPR risk)
• Ignoring PCI DSS — if any of your recorded calls contain payment card data, you are in breach of PCI DSS. Implement pause-and-resume or DTMF masking from day one
• Failing to update policies when staff change — when employees join, leave, or change roles, your recording policies must be updated accordingly
• Not planning for Subject Access Requests (SARs) — under GDPR, individuals have the right to request copies of their call recordings. Ensure your system supports efficient search and retrieval to meet the one-month SAR deadline

Future Trends in UK Call Recording Compliance

The call recording compliance landscape continues to evolve. UK businesses should be aware of several emerging trends:

• AI-driven compliance monitoring — real-time analysis of calls for regulatory keywords, risk indicators, and compliance breaches, with automatic flagging for review
• Unified communications recording — as businesses adopt platforms like Microsoft Teams and Zoom for all communications, recording requirements are expanding to cover video calls, chat messages, and screen shares alongside traditional voice calls
• Stricter FCA oversight — the FCA continues to increase its focus on communications surveillance, with new guidance expected on the use of encrypted messaging apps and social media for business communications
• Cloud-first recording architectures — the shift to cloud-based recording platforms is accelerating, driven by scalability, cost efficiency, and the ability to support distributed workforces
• Greater emphasis on data sovereignty — post-Brexit developments in UK data protection law may introduce new requirements for where and how call recordings are stored

How CloudSwitched Can Help

At CloudSwitched, we specialise in helping UK businesses implement VoIP solutions that are compliant, secure, and tailored to their specific industry requirements. Our team of telecommunications and compliance experts can guide you through every stage of the call recording implementation process — from initial compliance assessment through to deployment, training, and ongoing support.

Whether you’re an FCA-regulated financial services firm that needs full MiFID II-compliant recording, a healthcare provider looking to improve patient communication records, or a growing SME that simply wants to ensure its call recording setup meets GDPR requirements, we have the expertise and the technology partnerships to deliver the right solution.

Conclusion

Setting up VoIP call recording for business compliance is not a one-size-fits-all exercise. The right approach depends on your industry, the regulations that apply to your business, the VoIP platform you use, and the specific risks you face. What remains constant, however, is the importance of getting it right. Non-compliance with FCA, GDPR, PCI DSS, or Ofcom requirements can result in substantial fines, enforcement action, loss of business licences, and lasting reputational damage.

By following the steps outlined in this guide — conducting a thorough compliance assessment, selecting the right recording solution, configuring policies carefully, notifying staff and callers, and maintaining ongoing oversight — you can build a call recording system that protects your business, satisfies your regulators, and delivers genuine operational value through quality assurance and training.

The investment in compliant call recording pays for itself many times over, not just in avoided fines and penalties, but in improved customer service, faster dispute resolution, better staff performance, and the peace of mind that comes from knowing your communications are properly managed and secured.