Deploying an artificial intelligence tool to automatically transcribe your meetings and professional interviews creates real value — but it immediately triggers a series of legal obligations. UK GDPR applies as soon as data that could identify individuals — voices, names, job titles, opinions — is collected and processed.
Here are the key points to keep in mind before going any further:
- Inform participants before any recording takes place (UK GDPR Art. 13 + Data Protection Act 2018).
- Formalise the relationship with your provider through a Data Processing Agreement (UK GDPR Art. 28).
- Host data within the UK or EEA, or ensure a valid transfer mechanism is in place.
- Limit retention periods and delete the audio as soon as the transcript has been finalised.
- Prohibit model training on your data through explicit contractual terms.
Contents
- Data controller and processor: who is who?
- Duty to inform and prohibition on covert recording
- Lawful basis: which ground should you rely on?
- Data hosting and international transfers
- Retention, minimisation and audio deletion
- Data Processing Agreement (DPA) and AI model training
- Frequently asked questions
Data controller and processor: who is who?
The data controller is the entity that determines the purposes and means of processing (UK GDPR Art. 4(7)). In the context of meeting transcription, that is the organisation using the tool — not the technology provider.
The processor (UK GDPR Art. 4(8)) is the supplier that processes data on behalf of the controller, acting on the controller’s instructions. The AI transcription provider fills this role.
This distinction has direct practical consequences:
- The organisation remains solely accountable to individuals and to the ICO.
- The provider may only act in accordance with documented instructions received from the controller.
- Any data breach committed by the processor can also engage the controller’s liability if the contractual framework was inadequate.
Key takeaway: Deploying an AI transcription tool without a formalised Data Processing Agreement exposes the organisation to direct regulatory liability before the ICO, regardless of whether the provider was at fault.
Records of processing activities
The data controller must include the activity “automated meeting transcription” in its Records of Processing Activities (RoPA) (UK GDPR Art. 30). This entry must document the purpose, categories of data, recipients, retention periods and security measures in place.
Duty to inform and prohibition on covert recording
UK GDPR requires that individuals be informed in a transparent and timely manner (Art. 13). In practice, this means notifying every participant before the meeting begins that it will be recorded and automatically transcribed.
Under UK law, the obligation goes further. The Investigatory Powers Act 2016 and common law principles on privacy mean that recording someone without their knowledge — even in a professional setting — can constitute a serious breach of privacy rights, and potentially unlawful interception. The Employment Practices Code published by the ICO also provides that covert monitoring of workers is only justifiable in exceptional circumstances. Ignorance of these rules is no defence.
The minimum information to communicate to participants includes:
- The identity of the data controller.
- The purpose of the recording and transcription (e.g. producing meeting notes or action logs).
- The lawful basis being relied upon.
- The intended retention period.
- Participants’ rights (access, rectification, objection, erasure).
- The identity of the processor hosting the data.
Practical ways to inform participants
Information can be provided:
- Via a message included in the calendar invitation.
- Through a verbal announcement at the start of the meeting, noted in the minutes.
- Via a banner or notification displayed by the tool when participants join the session.
For appraisals and one-to-ones, a dedicated paragraph in the written notice sent ahead of the meeting is strongly recommended. For more on best practices in this context, see our article on annual appraisal write-ups: templates and best practices.
Lawful basis: which ground should you rely on?
Every processing activity must rest on one of the six lawful bases set out in UK GDPR Art. 6(1). For the transcription of professional meetings, two bases are primarily relevant.
| Lawful basis | Conditions for validity | Advantages | Limitations |
|---|---|---|---|
| Legitimate interests (Art. 6(1)(f)) | Documented balancing test; interests must not override individuals’ rights | No need to collect individual consent | Right to object applies; balancing test must be documented |
| Consent (Art. 6(1)(a)) | Freely given, informed, specific, unambiguous and withdrawable | Strong legitimacy | Difficult to obtain freely in a hierarchical context; unlikely to be valid when tied to employment |
| Legal obligation (Art. 6(1)(c)) | Statutory requirement to keep formal minutes | Robust where applicable | Rarely applicable outside statutory meetings (e.g. board resolutions) |
Key takeaway: Legitimate interests is the most appropriate lawful basis for the majority of internal meetings, provided the balancing test is thoroughly documented and the meeting does not involve sensitive topics (health data, trade union activities, etc.) that would require an enhanced basis.
Special category data
If the meeting touches on subjects likely to reveal special category data (UK GDPR Art. 9) — such as health information, trade union membership or political opinions — the processing requires a specific condition under Art. 9(2), such as explicit consent or a substantial public interest basis. In such cases, best practice is either to avoid automatic transcription altogether or to implement immediate anonymisation.
Data hosting and international transfers
Hosting data within the UK or EEA is the simplest way to ensure compliance. Once audio files or transcripts are routed to servers located outside the UK, the international transfer rules under UK GDPR Chapter V apply.
Valid transfer mechanisms include:
- Adequacy regulations made by the UK Secretary of State (e.g. the EU adequacy decision, or the UK–US Data Bridge — though its long-term legal durability remains uncertain).
- International Data Transfer Agreements (IDTAs) or the UK Addendum to the EU Standard Contractual Clauses — to be annexed to the DPA.
- Binding Corporate Rules (BCRs) for multinational groups approved by the ICO.
Hosting data on UK or European sovereign infrastructure eliminates this risk at source. For hybrid meetings involving international participants, the question of data localisation takes on an additional dimension — see our article on hybrid meetings: how to include everyone.
Assessing provider risk
Before choosing a tool, verify:
- The country of hosting for processing and storage servers.
- The applicable law governing the data in the event of a dispute or judicial request.
- Whether a robust DPA is available and what it actually covers.
Retention, minimisation and audio deletion
The data minimisation principle (UK GDPR Art. 5(1)(c)) requires that only data strictly necessary for the purpose is collected. The storage limitation principle (UK GDPR Art. 5(1)(e)) requires that it be deleted as soon as it is no longer needed.
In the context of automated transcription:
- The purpose is to produce meeting notes or a summary.
- The raw audio no longer serves any purpose once the transcript has been validated.
- The transcript itself should be retained only for as long as strictly necessary for its operational use (typically 30 to 90 days, unless a specific legal obligation requires otherwise).
| Data | Recommended retention | Rationale |
|---|---|---|
| Raw audio file | Delete immediately once transcript is validated | Minimisation; high-risk asset in the event of a breach |
| Full transcript | 30 to 90 days | Operational use; delete after final meeting notes are archived |
| Finalised meeting notes | Duration of the project / legal obligation | Management document; can be anonymised |
Key takeaway: Deleting the audio as soon as the transcript is generated is the single most effective minimisation measure — it dramatically reduces risk in the event of a data breach and simplifies the management of erasure requests.
For further guidance on structuring meeting outputs, see our article on how to write clear and useful meeting notes in 2026.
Data Processing Agreement (DPA) and AI model training
A Data Processing Agreement is a contract made mandatory by UK GDPR Art. 28. It must be signed before any processing of personal data by the provider begins.
Mandatory content of a DPA (UK GDPR Art. 28(3))
The DPA must set out:
- The subject matter and duration of the processing.
- The nature of the operations carried out (collection, storage, analysis, deletion).
- The purpose of the processing and the categories of data involved.
- The obligations and rights of the data controller.
- The technical and organisational security measures implemented.
- The conditions for sub-processing (list of sub-processors).
- The obligation to assist the controller in responding to rights requests or data breaches.
The AI model training question
This is a critical point of vigilance. Some providers include a clause in their terms and conditions permitting the use of your data to improve or train their models. This constitutes a purpose incompatible reuse of personal data (UK GDPR Art. 5(1)(b)), unless explicit consent has been obtained.
The DPA must expressly prohibit:
- The use of transcripts or audio files to train, fine-tune or evaluate AI models.
- The sale or sharing of data with unlisted third parties.
- Any processing not instructed by the data controller.
The ICO has made clear in its guidance on AI and data protection that repurposing personal data without an appropriate lawful basis constitutes a clear breach of UK GDPR.
Conclusion: a compliance checklist
Bringing your use of an AI transcription tool into compliance does not require extensive legal resources — but it does require a structured approach. Here are the priority actions:
- Register the processing activity in your Records of Processing Activities (RoPA).
- Choose and document your lawful basis (complete a Legitimate Interests Assessment if relying on Art. 6(1)(f)).
- Inform all participants systematically before every recorded session.
- Sign a DPA with your provider, including an explicit prohibition on model training.
- Verify the location of the provider’s servers and the existence of a valid transfer mechanism if data leaves the UK/EEA.
- Configure automatic deletion of audio files once the transcript has been validated.
- Define a maximum retention period for transcripts and meeting notes.
A UK or EU-hosted tool, backed by an Art. 28-compliant DPA and configured to automatically delete audio after transcription, addresses the vast majority of these requirements by design. UK GDPR compliance should not be a barrier to adopting AI in your meetings — it is the framework that makes that adoption trustworthy.
Frequently asked questions
Must participants always be informed before a meeting is recorded?
Yes. UK GDPR (Art. 13) requires that individuals be informed before their voice data is processed. Under UK law, recording someone without their knowledge can also constitute a breach of privacy rights under the Investigatory Powers Act 2016 and the common law, even in a professional context.
What lawful basis should I use to transcribe a professional meeting?
Legitimate interests (Art. 6(1)(f)) is the most commonly relied-upon basis, provided the organisation’s interests do not override the rights of participants. Consent can also be used, but it must be freely given, informed and withdrawable — which is difficult to guarantee in a hierarchical employment relationship.
How long can I retain the audio recording of a meeting?
The storage limitation principle (UK GDPR Art. 5(1)(e)) requires that data is held only for as long as necessary for its purpose. In practice, audio should be deleted as soon as the transcript is validated; the transcript itself is typically retained for between 30 and 90 days, depending on the organisation’s document retention policy.
Can an AI provider use my meeting recordings to train its models?
Not without your explicit agreement. UK GDPR prohibits repurposing personal data for purposes incompatible with the original purpose (Art. 5(1)(b)). A DPA compliant with Art. 28 must expressly state that the provider may not train its models on your data, nor share that data with third parties, without documented instruction from the data controller.
What is a Data Processing Agreement (DPA) and when is it required?
A DPA is a contract required by UK GDPR Art. 28 whenever a supplier processes personal data on behalf of an organisation. It must cover the subject matter, duration, nature and purpose of the processing, security measures and the processor’s obligations. It is mandatory before any AI transcription tool is deployed.
Is it a problem if my transcription tool hosts data outside the UK?
Yes. Any transfer of personal data to a third country must be supported by an appropriate safeguard: an adequacy regulation, an International Data Transfer Agreement (IDTA), or Binding Corporate Rules approved by the ICO. Without a documented safeguard in place, the transfer is unlawful.
What counts as personal data in a meeting transcript?
Voice, first name, surname, job title, opinions expressed and any indirect identifier that could be used to recognise an individual all constitute personal data under UK GDPR Art. 4(1). A text transcript of a meeting is therefore unambiguously a processing activity subject to the regulation.