Actionable checklist for UK businesses deploying AI voice systems. Based on ICO guidance and UK GDPR requirements.
Work through each section before deploying an AI voice system. Revisit annually or when you change providers. Items tagged “Legal requirement” are obligations under UK GDPR. Items tagged “Recommended” are strong good practice that demonstrates due diligence.
Determine whether legitimate interests, consent, or contractual necessity applies. Document your reasoning in writing.
Reference: UK GDPR Article 6
Required when deploying new technology that processes personal data at scale. Document the data you will process, risks, and mitigations.
Reference: UK GDPR Article 35
Check that it covers AI-assisted call handling, voice data processing, and third-party processors. Update before going live.
Not legally required for all organisations, but strongly recommended when deploying AI systems that process voice data. Consider external DPO services.
Callers must know they are interacting with AI. Include a clear notification at the start of each call.
Reference: UK GDPR Articles 13 & 14
Inform callers before recording begins and state the purpose. Offer an opt-out where practical.
Add sections covering: what voice data you collect, why, how long you keep it, who processes it, and caller rights.
Provide a way for callers to access your full privacy policy. Mention your website URL during the call or in follow-up communications.
Keep a record of how and when callers are informed. This demonstrates compliance if the ICO investigates.
Check for ISO 27001, SOC 2, or equivalent. Ask about encryption, access controls, and incident response procedures.
Set retention periods proportionate to your stated purpose. Six months is a common baseline for call recordings. Document your reasoning.
Reference: UK GDPR Article 5(1)(e)
Restrict who in your organisation can access call recordings, transcripts, and caller data. Use role-based access where available.
The ICO must be notified within 72 hours of becoming aware of a qualifying breach. Have a documented response plan.
Reference: UK GDPR Article 33
Verify that data is actually deleted when retention periods expire. Test the process before going live.
Must cover: processing scope, security obligations, sub-processor approval, data return or deletion on termination, and audit rights.
Reference: UK GDPR Article 28
Document where caller data goes: AI provider, sub-processors, cloud hosting, CRM integrations. Check each transfer has appropriate safeguards.
Callers can request access, deletion, or object to processing. You must respond within one month.
Reference: UK GDPR Articles 15–22
Review your DPIA, privacy notices, retention periods, and processor agreements at least annually. Update as needed.
This checklist is based on the ICO’s published guidance on AI and data protection, the UK GDPR text, and the ICO’s AI and Data Protection Risk Toolkit. It is not a substitute for professional legal advice.
Items covering lawful basis, transparency, DPA, and data subject rights are legal requirements under UK GDPR. Others, such as DPO appointment for smaller organisations, are strong recommendations. All 18 points represent good practice.
At minimum annually, or whenever you change AI providers, expand your use of AI, or when new ICO guidance is published.
Consider a different provider. A Data Processor Agreement is a legal requirement under Article 28 of UK GDPR. Any reputable AI provider will have one ready.
A completed checklist demonstrates due diligence but is not sufficient alone. You need the underlying documentation — DPIA, privacy notices, DPA, processing records — to support it.
Yes. The same GDPR principles apply to any AI system processing personal data, whether voice or text-based.
This checklist provides general guidance based on publicly available ICO resources and UK GDPR requirements. It is not legal advice. For specific compliance guidance, consult a qualified data protection officer or solicitor.