Is it legal to record client calls at a law firm?
The short answer is yes, with clear conditions. The General Data Protection Regulation (EU 2016/679) โ and its UK equivalent, UK GDPR, retained post-Brexit โ permits call recording when a lawful basis exists. For law firms, the most commonly relied-upon bases are explicit consent from the data subject or the legitimate interests of the controller, balanced against the rights and freedoms of the individual.
However, having a lawful basis is only the starting point. The firm must document that basis, inform the client before recording begins, and ensure that the data collected is limited to what is necessary for the stated purpose. Non-compliance can attract fines of up to โฌ20 million (or ยฃ17.5 million under UK GDPR) or 4% of global annual turnover, whichever is higher.
Consent vs. legitimate interests: which basis to rely on
Explicit consent requires the client to give a freely given, specific, informed, and unambiguous indication of agreement before recording begins. A verbal notice at the start of a call ("this call may be recorded") is not sufficient standing alone โ it must be accompanied by information about who processes the data, for what purpose, and for how long.
Legitimate interests can justify recording without prior consent if the firm can demonstrate the interest is real, necessary, and not overridden by the individual's rights. European supervisory authorities, including the UK ICO, have taken a cautious stance on legitimate interests for call recording in professional services contexts. Consent therefore remains the safer route for most law firms.
Information obligations: what you must tell clients
Article 13 of GDPR requires that, at the point of data collection, the controller provides a defined set of information. For call recordings, this means communicating at minimum:
- The identity and contact details of the controller (the law firm).
- The purpose of the recording (e.g., file documentation, training, or evidentiary use).
- The lawful basis relied upon.
- The retention period for the recording.
- The client's rights to access, rectify, or erase their data, and to object to processing.
- The right to lodge a complaint with the supervisory authority (ICO in the UK; national DPA in EU member states).
This information can be provided in the engagement letter, a pre-call email, or an automated message at the start of the conversation. What matters is that a record exists confirming it was provided.
Retention periods and secure deletion
GDPR prohibits keeping personal data longer than necessary for the purpose that justified its collection. For law firms, determining that period requires balancing the limitation periods applicable to the legal matter, any sector-specific retention obligations, and the likelihood that the recording may be needed as evidence.
Once the retention period expires, recordings must be deleted irreversibly. This applies not only to the audio files but also to any transcripts generated from them. AI transcription tools that process data in the cloud must offer certified deletion mechanisms and must not use client data to train their models without additional consent.
Data Processing Agreements (DPAs) and sub-processors
When a law firm uses an external vendor to transcribe or store recordings, that vendor becomes a data processor. GDPR Article 28 requires formalising this relationship through a written Data Processing Agreement that governs processing instructions, security measures, sub-processing, and breach notification obligations. Operating without this agreement is itself a GDPR infringement, regardless of whether the underlying processing is otherwise lawful.
Practical rule: Before contracting any transcription or recording tool, request the vendor's standard DPA, verify that servers are located within the EEA or in an adequate-decision country, and confirm that their data retention policy is configurable by the customer. Bar associations in both the UK and US increasingly publish guidance on technology vendor due diligence โ review the most recent version from your regulator.
Technical and organisational security measures
GDPR's accountability principle requires law firms to implement security measures proportionate to the risk. For call recordings, this includes encryption in transit and at rest, role-based access controls (only the assigned fee-earner should access a given recording), access logging, and a documented incident response plan.
Firms that process client data systematically at scale may also be required to appoint a Data Protection Officer (DPO) and conduct a Data Protection Impact Assessment (DPIA) before deploying a recording and transcription system.
Implementing a GDPR-compliant recording and transcription system
A compliant implementation follows four phases: establish the lawful basis and draft client-facing information notices; select a vendor that offers GDPR guarantees and sign the DPA; configure the system with appropriate access controls and retention settings; and train staff on internal procedures. CallsIQ was built with this compliance framework in mind โ EU-based servers, a standard DPA available before first use, AES-256 encryption, and customer-configurable retention periods.