Back to Blog
Compliance
6 min read
5 Dec 2024

UK GDPR and AI call handling: what you need to know

Using AI to handle customer calls raises legitimate questions about data privacy. We break down exactly what UK GDPR requires and how CallWrk stays compliant.

The question we hear most often

"Is it legal to use AI to answer my customer calls?"

The short answer: yes, absolutely — with the right approach. Let's break down what UK law actually requires.

What UK GDPR says about call recording and AI

Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, you must:

  1. Have a lawful basis for processing — for call handling, this is typically *legitimate interests* or *contract performance*
  2. Be transparent — callers must be informed if their call is being recorded or handled by AI
  3. Retain data only as long as necessary — call recordings and transcripts must have defined retention periods
  4. Protect the data — appropriate technical and organisational measures required

The Privacy and Electronic Communications Regulations (PECR) also apply, particularly for outbound campaigns.

How CallWrk ensures compliance

### Transparency disclosure

Every CallWrk call begins with a brief disclosure: *"This call may be recorded for quality and training purposes and handled with AI assistance."* This satisfies the transparency requirement under UK GDPR.

### Data residency

All call data for UK customers is stored within the United Kingdom. We do not transfer personal data outside the UK/EEA without appropriate safeguards.

### ICO registration

CallWrk Ltd is registered with the Information Commissioner's Office (ICO) as a data processor. Our registration number is available on request.

### Retention policies

Call recordings are retained for a maximum of 90 days by default. Transcripts and booking data are retained in line with your CRM's retention policies. Both can be configured to shorter periods on request.

### Data Subject Requests

If one of your customers submits a Subject Access Request (SAR) or requests erasure, CallWrk's data team will process the request within 30 days in line with UK GDPR requirements.

What you need to do as a business

As the data controller, you remain responsible for:

  • Including CallWrk's data processing in your Privacy Policy (we provide a template clause)
  • Ensuring your website/booking flow informs customers that calls may be AI-assisted
  • Maintaining a Record of Processing Activities (ROPA) that includes CallWrk

We provide all the documentation you need to stay compliant. Our compliance team is available to any customer who needs guidance.

Bottom line

UK law is clear and manageable. Using AI to handle customer calls is entirely lawful when done transparently and with appropriate safeguards — and CallWrk has built compliance into every layer of the product.

See CallWrk in action

Book a free 20-minute demo and watch the AI handle a live call.

Book a Free Demo