Blog & News

  • VoIP Phone systems and data protection


VoIP and Data Protection

If your business uses a VoIP telephone system, it falls within specific data protection regulatory requirements.

GDPR has been about since May 2018, despite the UK is not now being a member of the EU, there are no great changes to data protection principles falling under UK data protection law.

Personal Data Protection

In the UK the GDPR The Data Protection Act 2018 (DPA) controls the use of people’s personal information. With this in mind, when using your VoIP system, you must adhere to strict data protection rules. These state the use of personal data must be:

  • For specified, explicit purposes
  • Fair, transparent and lawful
  • Adequate and relevant
  • Accurate and up to date
  • Properly secure
  • Not kept any longer than is necessary

Appropriate security of personal information includes protection from unauthorised processing or unlawful access, loss, damage or destruction.

It is vital to have a clearly defined set of data protection procedures, which you can demonstrate, and also which cover the use of VoIP.


How Data Protection Affects VoIP

One of the most important and often used features of VoIP is call recording. If you are going to record incoming customer calls, you need to be able to justify the need to do so legally.

Six different data protection conditions exist in which you can record calls: 
Your company has legitimate interests recording calls and uses personal data gathered appropriately with minimal impact on client privacy.

  • The caller has clearly given their consent for call recording
  • It is a legal and or regulatory requirement in certain situations
  • Call recording is part of a contractual obligation to your client
  • It is needed to protect the interests, or life, of a client
  • It is required for carrying out an official authority.


Caller Consent is vital
According to data protection rules, a user or caller holds a very strong position. They need to give their consent for you to collect their data via call recording, and this consent can be withdrawn at any time. In the event you’ve recorded a call and the caller no longer wants you to keep this data, they are entitled to request that you delete it. Where this happens you must comply unless there is a legitimate reason for keeping it.

Applying Data Protection to VoIP

Examples applying data protection to various conditions listed above include:

  • Financial sector companies are legally obliged to record calls with clients
  • Energy companies recording meter readings over the phone are contractually obligated
  • Recording calls in a call centre for monitoring and training purposes falls under the legitimate interest of the customer and consumer.

In this latter example, it is important that the caller gives their explicit consent and any privacy considerations do not impact upon the need to carry out something officially.

Another area for data protection is triggered when using VoIP to take payment details over the phone.

When you’re using a call recording feature, you need to be sure you aren’t recording someone’s card details should the caller give them over the phone to make a payment. Doing this would be a breach of Payment Card Industry Data Security Standards (PCI DSS) rules.

Ways of ensuring you don’t breach any rules in this situation would be either to pause that calls recording or to transfer the call to a phone that is out width the call recording system. Either way, it makes sense to make sure these functions are included in your VoIP phone system, specifically if your business takes payments from customers over the phone.

What are consequences of non-compliance of Data Protection?

Breaching data protection regulations may result in large fines. In 2018, the maximum fine set for non compliance of GDPR and DPA was £17.5 million, or 4% of annual turnover and also reprimands such bans on data processing or suspension of data transfers and ordering the restriction or deletion of data.

There is also reputational damage to consider. If it becomes public knowledge that you’ve breached data protection rules, this can cause serious damage to your reputation and seriously impact your profitability.

When Does EU GDPR Still Apply?

The EU GDPR might still apply to your business while you are trading in the European Economic Area (EEA), if you are offering goods or services to individuals within it, or monitoring the behaviour of individuals in the EEA.

If companies within the EEA send you personal data, they must also comply with GDPR when doing this.  Learn more about VoIP

Here at Jibba Jabba we supply high-quality VoIP solutions to businesses, to find out more about VoIP in general you can download our guide using the form on this page or if you want to know more about our voip packages and prices please click here to view.


Article by Ashley Harris on: 22/7/22




Search Posts:


Need to know about VoIP?


Get our guide now

 By ticking this box you agree to our terms & conditions of use.

Guide Cover



Jibba Dialler for call centres and business


PAYG VoIP from £3.99 per user