UK charities and CICs handle sensitive data over the phone: beneficiary details, referrals and safeguarding notes. This guide shows how to secure VoIP platforms, call recordings and volunteer access with GDPR-aligned policies, role-based access control (RBAC), retention & deletion, encryption, audit logs and device hygiene.
Key takeaways
- Lawful basis & minimisation: define GDPR basis (legitimate interests/consent) and collect only what’s needed.
- Recording controls: announce where required, use pause/redact for sensitive fields, set retention.
- RBAC & audit: least-privilege access, MFA, logs for reviews and incident response.
- Encryption: TLS/SRTP in transit, encrypted storage for recordings and backups.
GDPR: lawful basis, notices & minimisation
- Choose a lawful basis for helpline/advice calls; document in your privacy notice.
- Data minimisation: keep call notes brief, store details in your approved CRM/case system.
- Maintain a ROPA (record of processing activities) for telephony and recordings.
Call recording & retention policies
- Publish a recording policy; announce recording where appropriate.
- Enable pause/redact for payment/health data; set role-based access to recordings.
- Apply retention & deletion schedules aligned with safeguarding and funder requirements.
Access controls, MFA & audit logs
- MFA/SSO for staff and volunteers; remove access quickly when roles change.
- Least-privilege RBAC for queues, recordings and reports; periodic access reviews.
- Audit logs for sign-ins, playback and exports; alert on suspicious activity.
Device hygiene for remote volunteers
- Use managed softphone apps with auto-lock; prefer USB headsets over speakerphones.
- Enforce screen locks, disk encryption and avoid storing notes locally.
- Provide short security training and an incident playbook.
Network & platform security
- TLS/SRTP for signalling/RTP; disable weak ciphers and legacy SIP auth.
- IP allow-lists for admin access; geo-blocking where appropriate.
- Back up configs/recordings securely with encryption and test restores regularly.
Related guides
Recently asked questions
Do we need consent to record calls?
Not always — it depends on your lawful basis. Many helplines use legitimate interests with clear privacy notices. When in doubt, obtain consent and allow pause/redact for sensitive data.
Who should have access to recordings?
Only trained roles on a need-to-know basis (e.g. supervisors, safeguarding leads). Enforce RBAC, MFA and audit playback/downloads.
How long should we keep recordings?
Follow your retention schedule (often 30–180 days) and any safeguarding/funder rules. Automate deletion and document exceptions.
Can volunteers use personal laptops/phones safely?
Yes — with managed apps, MFA, screen locks, no local note-taking, and brief security training. Revoke access instantly if a device is lost.