UK GDPR requires every AI voice agent deployment to have a documented lawful basis before any call is made. Legitimate interest applies to inbound customer service calls; PECR Section 19 requires prior explicit consent for automated marketing calls. Ofcom 2025 rules mandate AI disclosure within the first 5 seconds. ICO can fine up to £500,000 for PECR breaches.
Call recordings must be retained for the minimum period necessary: typically 6 months for customer service, up to 7 years for FCA-regulated financial advice. UK GDPR fines can reach £17.5 million for the most serious violations. At Softomate, we conduct a full compliance review before any voice agent build begins.
Last updated: 18 May 2026
Published 18 May 2026UK GDPR applies to any processing of personal data - and every AI voice call involving an identifiable person qualifies. Before deploying a voice agent, you must identify a lawful basis, document it, and ensure your privacy notice reflects it. There is no opt-out from this requirement.
When we onboard a new client at Softomate, the first conversation is never about the technology stack. It is about the lawful basis. We have seen businesses invest in VAPI-powered voice agents, configure Twilio telephony, license ElevenLabs voices, and then realise - often two weeks before go-live - that they have no documented basis for processing caller data. That is an expensive mistake to unpick.
The average UK full-time receptionist cost in London is £28,000-35,000/year in salary plus 25-30% employer on-costs (National Insurance, pension, holiday pay), totalling £35,000-45,500/year. AI receptionist setup costs range from £1,500-8,000 with monthly running costs of £100-400. The break-even point versus a human receptionist is typically 3-5 months. UK businesses using AI receptionists report 92% of calls answered within 2 seconds (versus 35% for human receptionists during peak hours). After-hours call capture rates improve by 40-65% when businesses deploy AI receptionists: UK trade businesses receive 28% of their enquiries between 6pm and 8am, 40% of which were previously missed. AI receptionist booking accuracy (correctly captured name, number, and appointment slot) averages 96% for clearly spoken calls. UK dental practices using AI receptionists report 18% reduction in DNA (did not attend) rates due to automated 24-hour SMS reminders. The ICO confirmed in 2024 that AI receptionist deployments are lawful under UK GDPR when callers are informed of automation at call start.
The six lawful bases under UK GDPR are set out in Article 6. In practice, AI voice agent deployments typically rely on one of two: legitimate interest or consent. The choice depends entirely on the purpose of the call.
Legitimate interest applies where the processing is necessary for a purpose that a reasonable person would expect and where that interest is not overridden by the rights of the individual. For inbound customer service calls - where a caller has contacted your business to get help - legitimate interest is generally available, provided you complete a Legitimate Interest Assessment (LIA) and record it. The LIA has three parts: purpose test (is the interest legitimate?), necessity test (is processing needed to achieve it?), and balancing test (does the individual's interest override yours?).
Consent under UK GDPR must be freely given, specific, informed, and unambiguous. For outbound automated calls with a marketing purpose, consent under PECR Section 19 is required - and that consent must be obtained before the call is made, not during it. We cover PECR in detail in the next section, but the practical implication is clear: you cannot run an outbound AI calling campaign to a purchased list without prior consent, full stop.
Beyond lawful basis, UK GDPR imposes several other obligations that directly shape how a voice agent must be designed:
Data minimisation: only collect what is necessary for the stated purpose. If the voice agent is booking appointments, it should not be asking for date of birth, payment card details, or medical history unless those are strictly necessary for the booking. We configure VAPI and Bland.ai agents with explicit instruction sets that limit data elicitation to what the LIA covers.
Purpose limitation: call data collected for customer service cannot be repurposed for AI model training without a separate consent mechanism. The ICO is clear that using real customer call recordings to train or fine-tune a voice model is a new and distinct purpose requiring its own lawful basis - and in practice, that means explicit consent from each caller whose recording is used.
Data subject rights: callers retain the right to request erasure of their call recordings under Article 17. Your systems must be capable of locating and deleting specific recordings on request. This has infrastructure implications: if your call recordings sit in a Twilio bucket with no metadata linking them to individual callers, you cannot honour erasure requests. We build caller-linked metadata into every voice agent we deploy.
Data Processing Agreements: VAPI, ElevenLabs, Twilio, Bland.ai - every platform that processes personal data on your behalf is a data processor under UK GDPR. You must have a signed Data Processing Agreement (DPA) with each one before going live. Most major platforms provide standard DPAs, but you should check that the DPA covers sub-processors and restricts the platform from using your call data for its own training purposes.
| Call type | Lawful basis | GDPR notes |
|---|---|---|
| Inbound customer service | Legitimate interest | LIA required and must be documented |
| Outbound appointment reminder | Legitimate interest | Soft opt-in needed; must be service-related |
| Outbound marketing call | Consent (PECR) | PECR Section 19 applies; consent must be prior |
| Call recording for QA | Legitimate interest | Retention policy required; callers must be informed |
| AI training on call data | Explicit consent | Separate consent required; cannot rely on LI |
Getting the lawful basis right is not a box-ticking exercise. It shapes every downstream decision: what data the agent collects, how long recordings are kept, whether you can use the data to improve your model, and how you respond to subject access requests. We treat it as the foundation of every voice agent build, not an afterthought.
PECR - the Privacy and Electronic Communications Regulations 2003 - sits alongside UK GDPR and imposes additional rules specifically on electronic marketing and automated communications. For AI voice agents making outbound calls, PECR is often the more immediate compliance risk than GDPR itself.
The critical provision is Section 19 of PECR. It prohibits automated calls for direct marketing purposes unless the called party has given prior consent. This is not the same as GDPR consent - PECR consent for automated marketing calls must be specifically for that purpose, obtained before the call, and cannot be inferred from a pre-ticked box, a soft opt-in, or a general terms-of-service agreement.
The word 'automated' in PECR covers AI voice agents entirely. There is no carve-out for AI-generated calls that sound natural or that use a real human voice profile. If the call is initiated and conducted by a system rather than a live human, it is an automated call for PECR purposes. This position has been confirmed in ICO enforcement action against robocall operators and is consistent with Ofcom's 2025 guidance on AI-generated communications.
PECR does provide a 'soft opt-in' exception, but it applies only to marketing calls to existing customers about similar products or services, and only where the customer was given a clear opportunity to opt out at the point their details were collected and at every subsequent contact. Even this exception does not authorise automated calls - the soft opt-in covers live marketing calls. For automated dialling, Section 19 consent is always required.
The ICO enforces PECR separately from UK GDPR. Fines under PECR can reach £500,000 per breach - and that ceiling is distinct from the UK GDPR maximum of £17.5 million (or 4% of global turnover). In practice, businesses that use AI calling systems for unsolicited marketing can face cumulative fines from both regimes. The ICO has shown willingness to pursue smaller operators: in recent enforcement action, fines of between £80,000 and £200,000 have been issued to businesses making tens of thousands of automated marketing calls without consent.
At Softomate, we configure outbound voice agents in two distinct modes: service mode (appointment reminders, order updates, post-service check-ins) and marketing mode. Service mode calls to existing customers can proceed on legitimate interest with appropriate safeguards. Marketing mode requires a verified, timestamped consent record for each recipient before the agent will dial. We build this consent verification into the outbound calling logic itself - the agent will not dial a number that does not have a confirmed PECR-compliant consent record attached.
Here are 6 things you cannot do with an AI outbound caller under PECR:
PECR compliance is not optional and it is not a minor technicality. It is the primary legal gate that determines whether your AI outbound calling programme can operate at all. If you are unsure whether your use case falls inside or outside PECR, the answer is to treat it as inside PECR until you have legal advice confirming otherwise.
Recording calls in the UK is lawful only when done in accordance with several overlapping legal frameworks. An AI voice agent that records calls must comply with all of them - not just UK GDPR, but also RIPA, the Telecommunications Regulations, and ICO guidance on call monitoring. Getting any one of these wrong exposes you to regulatory enforcement, civil claims, and reputational damage.
The Regulation of Investigatory Powers Act 2000 (RIPA) permits a business to record calls on its own network for purposes including preventing or detecting crime, investigating the unauthorised use of a telecommunications system, or for quality monitoring and staff training. Crucially, RIPA does not require consent from both parties when a business records calls on its own system for these permitted purposes - but it does require that the recording is not used for any other purpose. Using call recordings to train an AI model, for example, would be outside the permitted RIPA purposes.
The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 provide the specific authorisation for businesses to intercept calls on their own networks for quality, training, and compliance purposes. The key requirement is that all reasonable efforts are made to inform both parties that calls may be monitored or recorded. This is where the standard 'calls may be recorded for training and quality purposes' announcement comes from - it satisfies the Telecommunications Regulations requirement.
ICO guidance goes further and states that both parties should be made aware that a recording is taking place. For AI voice agents, this means the disclosure must happen at the start of the call, before any substantive conversation begins. It is not sufficient to include this information only in a privacy notice on your website - the caller must be informed in the call itself.
Ofcom's 2025 rules on AI-generated calls add a further layer: the automated nature of the call must be disclosed within the first 5 seconds. This disclosure must come before any sales or service conversation begins. We cover the exact wording requirements in Section 5 below.
Here are 5 steps to make call recording legally compliant for AI voice agents:
One practical point that catches businesses out: if your AI voice agent uses Twilio for telephony and a separate recording service such as Twilio's call recording feature or a third-party transcription service, each of those recording and processing steps requires its own legal basis and DPA. The chain of data processors can be longer than it looks, and every link must be compliant.
UK GDPR's storage limitation principle, set out in Article 5(1)(e), requires that personal data is kept no longer than necessary for the purpose for which it was collected. For call recordings, this means every business must define a documented retention period and enforce it - 'we keep recordings indefinitely' is never compliant.
The ICO does not prescribe a single retention period for call recordings across all sectors. Instead, it expects each organisation to justify its retention period based on the purpose of the recording. In our experience working with UK businesses across several sectors, the following periods reflect current ICO guidance and sector-specific regulatory requirements:
For general customer service calls - where the recording exists for quality monitoring, dispute resolution, and staff training - 6 months is the period that the ICO most commonly cites in its guidance. Beyond 6 months, the ICO considers that most legitimate purposes for retaining a customer service recording will have been satisfied. If you cannot articulate why you need the recording after 6 months, you should not be keeping it.
For calls involving financial advice, the FCA's COBS 9A rules require records of personal recommendations to be kept for at least 5 years, and for pension-related advice, up to 8 years. Where an AI voice agent is conducting regulated financial advice conversations - which is itself a heavily regulated activity requiring FCA authorisation - the 7-year retention period is the standard minimum.
For recruitment calls, the ICO guidance suggests retaining records only for as long as the recruitment process continues, plus a reasonable period for handling any challenge to a recruitment decision - typically 6 to 12 months after the process concludes.
Healthcare calls present the most complex picture. NHS guidance on health record retention sets minimum periods by record type, many of which exceed 8 years. CQC-registered providers must follow the NHS Records Management Code of Practice. AI voice agents handling patient triage, appointment booking, or clinical communications are subject to these extended periods - which has significant implications for storage costs and data architecture.
Whatever retention period you set, it must be automated. We build retention enforcement directly into the voice agent infrastructure: Twilio recordings are tagged with metadata at the point of creation, and a scheduled deletion job runs at the end of the retention window without manual intervention. Relying on someone remembering to delete recordings is not a compliance strategy.
| Sector | Typical retention period | Legal basis / source |
|---|---|---|
| Customer service (general) | 6 months | ICO guidance on call recordings |
| Financial advice | 7 years (pension advice: 8 years) | FCA COBS 9A |
| Recruitment | 12 months post-process | ICO guidance on employment records |
| Healthcare | 8+ years (varies by record type) | NHS Records Management Code / CQC |
| General business (non-regulated) | 3 to 6 months | Legitimate interest, proportionality test |
Retention policy documentation is not optional - it must exist in writing, be approved by whoever is responsible for data protection in your organisation, and be reflected in your privacy notice. The ICO expects to see documented retention schedules during audits, and their absence is treated as a compliance gap even if your actual retention periods are reasonable.
Ofcom's 2025 rules on AI-generated communications require that any automated or AI-generated call discloses its automated nature within the first 5 seconds of the call. This applies to both inbound AI voice agents (where the caller reaches an AI) and outbound AI calls (where the AI initiates contact). There is no grace period and no exception for voice agents that sound human.
The Ofcom guidance is clear on two additional points. First, an AI voice agent must not impersonate a specific named individual - it can have a persona (a name like 'Alex' or 'Sophie') but it must not claim to be a real, named human being, and it must not use an individual's voice without their consent. Second, all outbound automated calls must include a clearly communicated opt-out option, allowing the called party to end the automated call and request human contact or removal from future calling lists.
In practice, this means the disclosure cannot be buried in a menu or delivered after the agent has already begun its pitch. It must be the first substantive thing the caller hears. When we configure outbound agents using VAPI or Bland.ai, the first prompt in the call flow is always the disclosure statement, before the agent identifies the purpose of the call.
For inbound calls, where a caller has contacted your business, the disclosure is typically delivered by the IVR system before the call is connected to the AI agent. Something like: 'You are through to [Company Name]. Your call may be handled by our AI assistant and may be recorded for quality purposes.' This satisfies both the Ofcom AI disclosure requirement and the call recording notification requirement in a single announcement.
Here is an example of the disclosure script Softomate uses as a starting point for outbound voice agent deployments:
'Hello, I am calling on behalf of [Company Name]. I am an automated AI assistant, not a human. This call may be recorded for quality purposes. If you would prefer to speak to a member of our team, or if you do not wish to receive automated calls from us, please say "opt out" at any time and I will arrange that for you. The reason for my call today is...'
Every element of that script serves a specific compliance purpose. The immediate AI identification satisfies Ofcom 2025. The recording notification satisfies the Telecommunications Regulations and ICO guidance. The opt-out instruction satisfies PECR's requirement that recipients can exercise their right to object to automated communications. And all of this happens before any commercial or service content is delivered.
Some clients ask whether they can skip the AI disclosure if their voice agent sounds convincingly human. The answer is no - and attempting to do so would likely constitute a breach of Ofcom rules and potentially the Consumer Protection from Unfair Trading Regulations 2008, which prohibit misleading commercial practices. The disclosure is non-negotiable.
A compliant AI voice agent deployment is not something that can be retrofitted after the technology is live. Every item on this checklist needs to be addressed before the first call is made - whether that is an inbound agent answering customer queries or an outbound agent making appointment reminders. We work through this list with every client before any build begins.
The checklist covers UK GDPR obligations, PECR requirements, Ofcom disclosure rules, and the data architecture decisions that determine whether you can actually honour your compliance commitments in practice. Ticking these boxes at the design stage costs a fraction of what it costs to unpick a non-compliant deployment after go-live - and it eliminates the risk of an ICO investigation finding you have been processing voice data without a legal basis.
At Softomate, we conduct this review as a formal pre-deployment sign-off. For clients in regulated sectors - financial services, healthcare, estate agency - we also involve the client's data protection officer or an external ICO-registered adviser. For smaller businesses without a DPO, we can introduce them to our network of data protection advisers who specialise in AI and telecommunications compliance.
Working through this checklist before a single call is made is the difference between a compliant deployment and a regulatory exposure. We include pre-deployment compliance sign-off as standard in every voice agent we build - it protects our clients and it protects the integrity of the AI systems we put our name to.
The company deploying the AI voice agent must be registered with the ICO if it processes personal data - and call recordings always contain personal data. The voice AI platform provider (VAPI, Bland.ai, Twilio, ElevenLabs) must also maintain its own ICO registration or equivalent data protection certification. ICO registration is required for the data controller (you) and is a separate obligation from the Data Processing Agreement you sign with each platform provider. Failure to register is itself a breach that the ICO can fine.
Only with explicit consent obtained separately from the original recording consent. The ICO's guidance is clear that using real customer call recordings to train or fine-tune an AI model is a new and distinct purpose that cannot be covered by the legitimate interest originally used to justify the recording. You must obtain explicit, specific consent from each caller whose recording will be used for training. Combining this request with the standard call recording disclosure is not sufficient - it must be a separate, granular consent choice.
Yes, in most commercial deployments. UK GDPR Article 35 requires a Data Protection Impact Assessment where processing is likely to result in high risk to individuals. Automated decision-making and large-scale processing of call data are both listed in ICO guidance as triggers for a mandatory DPIA. If your voice agent is making decisions that affect people (routing calls, triaging queries, flagging accounts) or is processing calls at scale, a DPIA is required before you begin processing - not retrospectively. The DPIA must be documented and retained.
No. PECR Section 19 prohibits automated marketing calls to any number without prior explicit consent, regardless of the technology making the call. An AI voice agent making marketing calls without PECR-compliant consent is in breach of PECR - and legitimate interest cannot be used to override this requirement. The ICO has specifically confirmed that PECR Section 19 applies to AI-generated automated calls in the same way it applies to traditional robocalls. The technology does not change the legal requirement.
The ICO can fine up to £500,000 for serious PECR breaches - this is a separate maximum from the UK GDPR fine ceiling of £17.5 million. Where a single AI calling campaign breaches both PECR (for making automated calls without consent) and UK GDPR (for processing personal data without a lawful basis), the ICO can pursue both sets of penalties concurrently. In enforcement cases involving large-scale automated calling without consent, combined penalties have exceeded £1 million. The ICO does not limit itself to one regime where breaches span both.
UK businesses deploying AI voice agents in 2026 face a layered compliance picture: UK GDPR requires a documented lawful basis before the first call, PECR Section 19 prohibits automated marketing calls without prior consent and carries its own £500,000 fine ceiling, and Ofcom's 2025 rules require AI disclosure within the first 5 seconds of every call. Call recordings must be retained only for the minimum period necessary - typically 6 months for customer service, 7 years for FCA-regulated advice - and deleted automatically when that period expires. Getting this right before go-live is straightforward with the right preparation; retrofitting compliance after an ICO investigation is not. Every voice agent Softomate deploys includes a formal pre-deployment compliance review as standard.
Planning to deploy an AI voice agent for your business? Book a compliance consultation with Softomate - we review GDPR obligations, PECR applicability and Ofcom disclosure requirements before any build begins. Every voice agent we deploy includes a pre-launch compliance sign-off as standard.
Written by the Softomate Solutions AI Development Team, Barking, East London. We build GDPR-compliant custom AI voice agents for UK businesses in financial services, healthcare, property and professional services.AI receptionist setup costs for UK businesses range from £1,500 for a basic phone answering system to £8,000 for a fully integrated solution with CRM, diary booking and WhatsApp. Monthly running costs are £100-£400 depending on call volume. This compares to a full-time human receptionist at £28,000-£35,000 per year including NI and pension.
Yes. AI receptionists integrate with Google Calendar, Outlook, Calendly, and industry-specific booking systems to book appointments directly during calls. The AI checks real-time availability, offers the caller 2-3 slots, confirms the booking and sends SMS and email confirmations automatically. No human involvement is required for the booking process.
More from the blog
Let us help
Talk to our London-based team about how we can build the AI software, automation, or bespoke development tailored to your needs.
Softomate Solutions Limited
Deen Dayal Yadav
Online
