Explained / Other / 10 June 2026

Recording discovery calls in the UK: the legal framework

UK law on sales call recording: notice-not-consent under the Investigatory Powers Act, lawful basis under UK GDPR (legitimate interest), what your privacy notice must disclose, and special cases (covert recording, cross-border calls, consumer calls, subject access requests).

UK isn't a two-party consent jurisdiction in the US sense; it's a notice jurisdiction. Pre-call preamble, privacy notice, retention enforcement, and a documented LIA are the four operational anchors.

Recording sales discovery calls in the UK has a clear legal framework. Most UK SaaS sales operations teams operate within it correctly; some don't, and the cost of getting it wrong has risen materially since the Data Protection Act 2018 and UK GDPR.

This piece is the legal and practical position as of 2026.

The applicable law

Two regimes:

  • Data Protection Act 2018 / UK GDPR. Audio recordings containing personally-identifiable speech are personal data. Processing requires a lawful basis (typically legitimate interest for sales call recording), notice to the data subject, and adherence to the rights framework (access, rectification, erasure, objection).
  • Investigatory Powers Act 2016. Regulates interception of communications. Sales call recording for legitimate business purpose is generally permitted under the Act's business exemptions, provided certain conditions are met.

The two interact. The Investigatory Powers Act permits the act of recording; UK GDPR governs what you do with the recording afterwards.

What 'consent' means in this context

The UK is not a 'two-party consent' jurisdiction in the way some US states are. UK law does not require explicit consent from the recorded party for recording itself - it requires notice. The notice obligation is twofold:

  1. At the start of the call: the participant should be informed that the call is being recorded and the broad purpose for which it's being recorded. Most UK SaaS teams use a standard preamble: 'I'm recording this call for note-taking and quality purposes; let me know if that's not OK.'
  2. In your privacy notice: your organisation's privacy notice should disclose that calls may be recorded, the lawful basis, retention period, and the data subject's rights.

A participant who objects to recording at the start of the call must have the recording stopped. Continuing to record after objection moves you out of the business-exemption framework and exposes the organisation to material risk.

Lawful basis

For UK B2B sales call recording, legitimate interest is typically the appropriate lawful basis under UK GDPR. Documenting a Legitimate Interests Assessment (LIA) once for the recording programme is sufficient; per-call documentation isn't required. The LIA should cover:

  • Why the recording is necessary (training, coaching, deal review, dispute resolution)
  • Why the legitimate interest is not overridden by the data subject's rights
  • The retention period (typically 12-24 months; longer requires specific justification)
  • The access controls (who in your organisation can listen back; how access is logged)

The Data (Use and Access) Act 2025 has formally recognised legitimate interest for direct marketing, but call recording for training and quality purposes remains squarely within the existing legitimate-interest territory.

What your privacy notice must disclose

A defensible privacy notice covering call recording includes:

  • That calls may be recorded
  • The purposes (training, coaching, quality, deal-review)
  • The lawful basis (legitimate interest)
  • The retention period
  • The data subject's rights (access, erasure, objection)
  • Contact details for the data protection lead

Special cases

Recording without notice. Not legal under UK law for sales calls. Recording covertly to win an argument later does not meet the threshold.

Cross-border calls. A call between a UK seller and a US buyer may be subject to both UK and US law. US states with two-party consent rules (California, Pennsylvania, Florida, Massachusetts, others) require all-party consent for the recording. The conservative position: get explicit verbal consent at the start of any cross-border call.

Calls with consumers (not businesses). UK GDPR applies regardless. Notice requirements are the same. The legitimate-interest analysis is harder for consumer calls; explicit consent is more often appropriate.

Subject access requests. A recorded participant can request a copy of any recording in which they appear. Your organisation has 30 days to respond.

Operational discipline

Three habits that keep UK SaaS sales call recording compliant:

  1. The pre-call preamble is consistent across the team. Train it; check it on call reviews; reinforce it.
  2. The retention period is enforced automatically. If your retention is 12 months, the conversation-intelligence tool deletes recordings at 12 months automatically.
  3. The privacy notice is accurate. It reflects the actual practice, not an aspiration.

This is editorial coverage, not legal advice. Consult counsel for specific compliance questions.

Source: Investigatory Powers Act 2016. Data Protection Act 2018. UK GDPR. ICO guidance on call recording.