GDPR and AI call handling in the UK: what businesses need to know

AI call handling raises a fair question for any UK business, and a pressing one for clinics and law firms: can you use an AI receptionist and still meet your GDPR obligations? The short answer is yes — but how you set it up matters. This guide covers the principles in plain English. It is general guidance, not legal advice; check specifics with your DPO or solicitor.

You are the data controller

When a customer calls your business, you decide why and how their information is used — which makes you the data controller under UK GDPR. Any AI receptionist you use is a processor acting on your instructions. That distinction drives everything else: you set the rules, and your vendor must follow them and be able to prove it.

The five things to get right

1. Lawful basis

Most call handling relies on legitimate interests (running your business and responding to enquiries) or taking steps to enter a contract. Document which basis applies. For special-category data — health information at a clinic, for example — apply the extra care that data demands.

2. Transparency

Callers should be able to find out how their data is used. A short line in your privacy notice covering call handling and, where appropriate, a brief notice that calls are answered by an automated assistant keeps things transparent.

3. Data location and security

This is where most vendors fall short. Ask where call data is stored and processed, whether it leaves the UK or EU, and who can access it. The cleanest answer is data that stays on infrastructure you control rather than pooled inside a vendor’s platform.

4. Retention

Do not keep call recordings or transcripts forever. Set a defined retention period appropriate to why you hold the data, and make sure the system actually deletes it on schedule.

5. A processor agreement

You need a data processing agreement with any AI vendor, setting out what they can do with the data, their security measures, and their obligations if something goes wrong. No DPA, no deal.

Questions to ask any AI receptionist vendor

• Where is call data stored and processed, and does it leave the UK/EU?
• Can the system run on infrastructure we own and control?
• What is the default retention period, and can we set our own?
• Will you sign a data processing agreement?
• How is access to recordings and transcripts restricted and logged?

Why we build on infrastructure you own

We deploy agents on infrastructure you control rather than holding your callers’ data ourselves. For clinics handling patient information and law firms handling client matters, that ownership is the difference between a compliance headache and a clean answer to “where does our data live?”