GDPR Call Recording Compliance: Step-by-Step Guide

Knowing what GDPR requires for call recording is one thing. Implementing it across your team, your tools, and your processes is another. Most compliance guides stop at explaining the rules. This one starts where those guides end -- with the practical steps to get your call recording setup audit-ready.

If you need a refresher on the fundamentals -- lawful bases, consent requirements, and data retention principles -- read our GDPR call recording overview first. This guide assumes you understand the basics and want to get compliant in practice.

Conducting a Data Protection Impact Assessment

A Data Protection Impact Assessment (DPIA) is required under Article 35 of GDPR whenever processing is likely to result in high risk to individuals. Call recording -- which captures voice data, names, and potentially sensitive business information -- meets that threshold.

What Your DPIA Should Cover

Your DPIA is not a box-ticking exercise. It is a working document that regulators will ask to see. It should include:

Description of processing: What calls are you recording? Sales calls, support calls, all calls? What data is captured -- audio, metadata, transcripts, AI analysis? Where does it go after capture?

Necessity and proportionality: Why do you need to record calls? Could you achieve the same purpose with less intrusive means, such as note-taking? If you are recording for training purposes, do you need to keep full recordings or would anonymised transcripts suffice?

Risk assessment: What are the risks to individuals? Unauthorised access to recordings, data breaches, recordings used for purposes beyond what was disclosed. For each risk, document the likelihood and severity.

Mitigation measures: What controls reduce each risk? Encryption, access controls, retention limits, staff training, DPAs with processors. Be specific -- "we use encryption" is not enough. State what encryption standard, whether at rest and in transit, and who manages the keys.

Keeping Your DPIA Current

A DPIA is not a one-time document. Review it when you change your call recording tools, add new processing activities (such as AI transcription), or expand into new markets. A stale DPIA is almost as bad as no DPIA.

Setting Up Data Processing Agreements

Every third-party tool that touches your call recordings is a data processor under GDPR. You need a Data Processing Agreement (DPA) with each one. This is not optional -- Article 28 makes it a legal requirement.

Mapping Your Processors

Before drafting DPAs, map every tool and service that handles call data:

VoIP provider (Aircall, Ringover, etc.) -- captures and stores audio
Call intelligence platform -- transcribes, analyses, and stores derived data
Cloud infrastructure (AWS, GCP, Azure) -- hosts the storage and processing
CRM system -- if call data or transcripts are synced to it
AI model providers -- if transcription or analysis uses external AI services
Backup services -- if recordings are backed up to a separate provider

Each of these relationships requires a DPA. Miss one, and you have a compliance gap.

What to Check in a DPA

Most SaaS vendors offer a standard DPA. Do not just sign it without reviewing. Check for:

Sub-processor transparency. The DPA should list all sub-processors or provide a mechanism to notify you when sub-processors change. If your call intelligence tool sends audio to a third-party AI model for transcription, that AI provider is a sub-processor and must be disclosed.

Data location. Where is data stored and processed? If you serve EU customers, you need to know whether data stays within the EEA or is transferred elsewhere. If it is transferred, what safeguards are in place -- EU-US Data Privacy Framework certification, Standard Contractual Clauses, or another mechanism?

Breach notification timeline. GDPR requires processors to notify controllers "without undue delay" after discovering a breach. Your DPA should specify a concrete timeframe -- 24 or 48 hours is standard. Anything longer than 72 hours is problematic because you need time to notify your supervisory authority within the 72-hour GDPR deadline.

Deletion obligations. What happens to your data when the contract ends? The DPA should specify that the processor will delete all data within a defined period, and provide certification of deletion upon request.

Audit rights. You have the right to audit your processors. The DPA should include provisions for audits, whether through on-site inspections, third-party audit reports (SOC 2, ISO 27001), or questionnaires.

Managing DPA Renewals

DPAs are not set-and-forget documents. Set calendar reminders to review them annually or when a vendor notifies you of sub-processor changes. Keep a register of all active DPAs with their review dates, the processors they cover, and the data they apply to.

Handling Subject Access Requests

Under Article 15, any individual whose voice appears in your call recordings can request access to that data. Subject access requests (SARs) for call recordings are operationally complex, and most teams handle them poorly the first time.

Building a SAR Workflow

When you receive a SAR:

Step 1: Verify identity. Before handing over recordings, confirm the requester is who they claim to be. Ask for enough identifying information to locate their records -- name, approximate date of calls, phone number used. Do not ask for excessive ID documents; proportionality matters.

Step 2: Search across all systems. Call data may live in your VoIP platform, your call intelligence tool, your CRM, your email (if recordings were shared internally), and your backup systems. Search all of them. Missing a system means an incomplete response, which is a compliance failure.

Step 3: Review before release. Recordings may contain personal data of other individuals -- the sales rep, other people mentioned during the call. You may need to redact third-party personal data before providing the recording. AI transcripts should also be reviewed; automated transcription can introduce errors that misrepresent what was said.

Step 4: Provide the data in an accessible format. Audio files should be in a common format (MP3, WAV). Transcripts should be provided alongside the audio. Include metadata -- date, time, duration, purpose of the call.

Step 5: Respond within 30 days. This is the GDPR deadline. If the request is complex (many recordings, multiple systems), you can extend by two months, but you must inform the requester within the initial 30-day period and explain why.

Documenting SARs

Maintain a log of all SARs received, including the date received, the requester, the response date, what data was provided, and any redactions applied. This log demonstrates compliance during audits and helps you identify patterns -- if you are receiving frequent SARs, it may indicate issues with your privacy notices or data handling practices.

Building an Internal Compliance Audit Process

Compliance is not a project with a finish line. It is a continuous process that requires regular auditing.

Monthly Checks

Verify that all calls are being recorded (spot-check for gaps)
Confirm consent mechanisms are functioning on all lines
Review any SAR or deletion requests received and their response times
Check that new employees have completed call recording compliance training

Quarterly Reviews

Audit your processor list -- have you added any new tools that touch call data?
Review DPA status -- any contracts expiring or sub-processor changes notified?
Sample review of recordings to verify retention policies are being applied
Check that recordings past their retention period have been automatically deleted

Annual Assessment

Full DPIA review and update
Review and update your Record of Processing Activities (ROPA)
Assess whether your lawful basis is still appropriate
Review privacy notices for accuracy
Conduct or review third-party audit reports (SOC 2, ISO 27001) from your processors
Staff refresher training on GDPR call recording requirements

Creating an Audit Trail

Every audit should be documented. Record the date, scope, findings, and any corrective actions taken. This documentation is what you will present to a supervisory authority if they investigate. Verbal assurances that "we checked and everything was fine" carry no weight.

Implementing Compliant Deletion Workflows

Deletion under GDPR applies in two contexts: routine deletion under your retention policy, and individual deletion requests under Article 17 (right to erasure).

Routine Retention-Based Deletion

Your retention policy defines how long recordings are kept. Implementing it requires:

Automated scheduling. Tag each recording with a deletion date at the point of creation. When the date arrives, the system deletes automatically. Manual deletion is unreliable at scale.

Cascading deletion. Deleting the audio file is not sufficient. You must also delete the transcript, AI-generated summaries, sentiment analysis, topic tags, and any contact intelligence derived solely from that recording. If your tools store derived data separately from the source recording, you need deletion workflows in each system.

Deletion confirmation. Log every deletion -- what was deleted, when, from which systems. This log proves your retention policy is actively enforced.

Individual Erasure Requests

When someone requests deletion of their recordings:

Locate all recordings involving that person across all systems
Determine whether any exemptions apply (regulatory retention requirements override the right to erasure in some industries)
If no exemption applies, delete the recording and all derived data within 30 days
Confirm deletion to the requester in writing
Log the request and your response

For multi-party recordings, consider whether you can redact the requester's portions rather than deleting the entire recording -- especially if the recording also serves a regulatory purpose for other participants.

Technology That Supports Compliance

The right call recording stack makes compliance manageable rather than overwhelming. When evaluating tools, look for:

Configurable retention policies that automatically delete recordings on schedule. Tools that require manual deletion will eventually create a backlog of non-compliant data.

Comprehensive deletion that removes audio, transcripts, and derived analytics together. Partial deletion -- keeping the transcript but deleting the audio -- leaves you exposed.

Access controls with audit logging so you can demonstrate who accessed what and when.

SAR support that makes it straightforward to locate, review, and export all data associated with a specific individual.

Coldread provides all of these capabilities out of the box. Retention policies, cascading deletion, role-based access with logging, and data export for SARs are built into the platform. For teams using Aircall or Ringover, compliance is handled without additional tooling or manual processes.

Common Implementation Gaps

Even teams that understand GDPR well often have gaps in their implementation:

No DPIA on file. Many teams skip the DPIA because they assume call recording is low risk. Regulators disagree. Complete one before you are asked for it.

DPAs missing for some processors. Teams sign DPAs with their primary call recording vendor but forget about the CRM, the backup service, or the AI transcription provider. Map every processor.

SARs handled ad hoc. Without a documented workflow, SAR responses are slow, incomplete, or inconsistent. Build the process before the first request arrives.

Derived data not included in deletion. Deleting the audio but keeping the AI-generated transcript and analysis does not satisfy a deletion request. Cascading deletion across all systems is essential.

No audit documentation. Performing compliance checks is not enough. Document what you checked, what you found, and what you changed. Regulators want evidence, not assurances.

Getting Started

If your call recording is already in place but your compliance implementation is incomplete, prioritise in this order:

Complete your DPIA -- this is the foundation document
Map your processors and secure DPAs -- close the gaps in your vendor relationships
Build your SAR workflow -- have it ready before you need it
Implement automated retention and deletion -- remove the manual burden
Document your audit process -- schedule monthly, quarterly, and annual reviews

For teams building compliance from scratch, the GDPR call recording fundamentals covers the legal groundwork. This guide gives you the implementation roadmap. Between the two, you have everything you need to run a compliant call recording operation.

Related reading:

Ready to simplify your compliance stack? See Coldread pricing -- plans start at $29/month.