Deploying an artificial intelligence tool to automatically transcribe meetings or professional interviews adds real value — but it immediately triggers a series of legal obligations. UK GDPR applies as soon as data that can identify individuals — voice, names, job titles, opinions — is collected and processed.
Here are the key points to keep in mind before going any further:
- Inform participants before any recording takes place (UK GDPR Art. 13 + potential criminal liability under the Investigatory Powers Act 2016).
- Formalise the relationship with your provider through a Data Processing Agreement (UK GDPR Art. 28).
- Host data within the UK or EEA, or ensure a valid transfer mechanism is in place.
- Limit retention periods and delete the audio as soon as the transcript has been finalised.
- Contractually prohibit the AI provider from training its models on your data.
Table of Contents
- Data controller and processor: who is who?
- Duty to inform and prohibition on covert recording
- Lawful basis: which legal ground should you choose?
- Data hosting and international transfers
- Retention, minimisation and audio deletion
- Data Processing Agreement (DPA) and AI model training
- Frequently asked questions
Data controller and processor: who is who?
The data controller is the entity that determines the purposes and means of processing (UK GDPR Art. 4(7)). When it comes to meeting transcription, the controller is the organisation using the tool — not the technology provider.
The processor (UK GDPR Art. 4(8)) is the provider that processes data on behalf of the controller, acting on the controller’s documented instructions. The AI transcription vendor occupies this role.
This distinction has direct practical consequences:
- The organisation remains solely accountable to data subjects and to the ICO (Information Commissioner’s Office).
- The provider may only act strictly in accordance with documented instructions received from the controller.
- Any data breach caused by the processor also engages the controller’s liability if the contractual safeguards were inadequate.
Key takeaway: Deploying an AI transcription tool without a formalised Data Processing Agreement exposes the organisation to direct liability before the ICO, regardless of whether the fault lies with the provider.
Records of processing activities
The data controller must add the activity “automated meeting transcription” to its Record of Processing Activities (RoPA) (UK GDPR Art. 30). The entry must set out the purpose, categories of data, recipients, retention period and security measures in place.
Duty to inform and prohibition on covert recording
UK GDPR requires data subjects to be informed in advance and transparently (Art. 13). In practice, this means notifying every participant before the meeting begins that it will be recorded and automatically transcribed.
The legal stakes go further than data protection alone. Under the Investigatory Powers Act 2016 and the common law duty of confidence, covertly recording workplace conversations without the knowledge of those involved can expose an organisation — and individuals — to significant legal risk. The ICO’s guidance on employee monitoring reinforces this: workers must be told when and how their communications are being captured.
The minimum information to communicate to participants:
- The identity of the data controller.
- The purpose of the recording and transcription (e.g. producing meeting minutes).
- The lawful basis relied upon.
- The intended retention period.
- Participants’ rights (access, rectification, objection, erasure).
- The identity of the processor hosting the data.
Practical ways to inform participants
The required information can be provided:
- Via a message included in the calendar invitation.
- Through a verbal announcement at the start of the meeting, documented in the minutes.
- Via a banner or notification displayed by the tool when participants join the session.
For annual appraisals or one-to-one reviews, a dedicated paragraph in the written invite is strongly recommended. For more on documentation best practices in this context, see our article on writing an effective appraisal meeting record: template and best practices.
Lawful basis: which legal ground should you choose?
Every processing activity must rest on one of the six lawful bases set out in UK GDPR Art. 6(1). For the transcription of professional meetings, two bases are primarily relevant.
| Lawful basis | Conditions for validity | Advantages | Limitations |
|---|---|---|---|
| Legitimate interests (Art. 6(1)(f)) | Documented balancing test; interests must not override data subjects’ rights | No need to collect individual consent | Right to object applies; balancing test must be documented |
| Consent (Art. 6(1)(a)) | Freely given, informed, specific, unambiguous, withdrawable | Strong legitimacy | Difficult to obtain freely in a hierarchical workplace context; unlikely to be valid when tied to employment |
| Legal obligation (Art. 6(1)(c)) | Statutory requirement to keep formal minutes | Robust where applicable | Rarely applicable outside board meetings and statutory consultations |
Key takeaway: Legitimate interests is the most appropriate lawful basis for the majority of internal meetings, provided the balancing test is thoroughly documented and no special category data (health information, trade union membership, etc.) is captured without an additional condition under Art. 9.
The special case of sensitive data
If a meeting covers topics likely to reveal special category data (UK GDPR Art. 9) — such as health information, trade union membership or political opinions — an additional condition under Art. 9(2) must be met, such as explicit consent or a substantial public interest basis. In such cases, the safest approach is either to avoid automatic transcription altogether, or to ensure immediate anonymisation of the output.
Data hosting and international transfers
Hosting data within the UK or EEA is the simplest way to ensure compliance. Once audio files or transcripts are routed to servers located outside the UK, the international transfer rules under UK GDPR Chapter V apply.
Valid transfer mechanisms include:
- Adequacy regulations made by the UK Secretary of State (e.g. the UK’s adequacy decisions for EEA countries and certain others, though their long-term legal status should be monitored).
- International Data Transfer Agreements (IDTAs) or the UK Addendum to the EU Standard Contractual Clauses — to be annexed to the DPA.
- Binding Corporate Rules (BCRs) for multinational groups, approved by the ICO.
Hosting data on UK or European sovereign infrastructure eliminates this risk at source. For hybrid meetings involving international participants, the question of data localisation takes on added complexity — see our article on hybrid meetings: how to include everyone.
Assessing provider risk
Before choosing a tool, verify:
- The country of hosting for both processing and storage servers.
- The applicable law governing data in the event of a dispute or legal disclosure request.
- The existence and robustness of the DPA on offer.
Retention, minimisation and audio deletion
The data minimisation principle (UK GDPR Art. 5(1)(c)) requires that only data strictly necessary for the stated purpose be collected. The storage limitation principle (Art. 5(1)(e)) requires that data be deleted once it is no longer needed.
In the context of automated transcription:
- The purpose is to produce meeting minutes or a summary.
- The raw audio no longer serves any purpose once the transcript has been validated.
- The transcript itself should be retained only for as long as is strictly necessary for record-keeping purposes (typically 30 to 90 days, unless a specific legal obligation requires otherwise).
| Data | Recommended retention | Justification |
|---|---|---|
| Raw audio file | Delete immediately after transcript is validated | Minimisation; high risk in the event of a breach |
| Full transcript | 30 to 90 days | Operational use; delete after final minutes are archived |
| Finalised meeting minutes | Duration of project / legal obligation | Management document; can be anonymised |
Key takeaway: Deleting the audio as soon as the transcript is generated is the single most effective minimisation measure — it dramatically reduces risk in the event of a data breach and simplifies the management of erasure requests.
For further guidance on structuring meeting outputs, see our article on how to write clear and useful meeting minutes in 2026.
Data Processing Agreement (DPA) and AI model training
A Data Processing Agreement is a contract made mandatory by UK GDPR Art. 28. It must be signed before the provider carries out any processing of personal data on your behalf.
Mandatory content of a DPA (UK GDPR Art. 28(3))
The DPA must set out:
- The subject matter and duration of the processing.
- The nature of the operations carried out (collection, storage, analysis, deletion).
- The purpose of the processing and the categories of data involved.
- The obligations and rights of the data controller.
- The technical and organisational security measures in place.
- The conditions for sub-processing (including a list of any sub-processors in the chain).
- The obligation to assist the controller in responding to data subject rights requests or data breaches.
The AI model training question
This is a critical point of vigilance. Some providers include a clause in their terms and conditions permitting the use of customer data to improve or train their models. This constitutes incompatible secondary use inconsistent with the original purpose (UK GDPR Art. 5(1)(b)), unless explicit consent has been obtained.
The DPA must expressly prohibit:
- The use of transcripts or audio files to train, fine-tune or evaluate AI models.
- The transfer or sharing of data with any third party not listed in the agreement.
- Any processing not instructed by the data controller.
The ICO has made clear in its guidance on AI and data protection that repurposing data without a valid lawful basis constitutes a clear breach of UK GDPR.
Conclusion: a compliance checklist
Bringing your use of an AI transcription tool into compliance does not require significant legal resources — but it does require a methodical approach. Here are the priority actions:
- Add the processing activity to your Record of Processing Activities (RoPA).
- Choose and document the lawful basis (complete a balancing test if relying on legitimate interests).
- Inform all participants before every recorded session.
- Sign a DPA with the provider, including an explicit prohibition on model training.
- Verify the location of servers and the existence of a valid transfer mechanism if data leaves the UK or EEA.
- Configure automatic deletion of audio files once the transcript has been validated.
- Set a maximum retention period for transcripts and meeting minutes.
A tool hosted on UK or European infrastructure, backed by a DPA compliant with Art. 28 and configured to automatically delete audio files after transcription, structurally meets the vast majority of these requirements. UK GDPR compliance should not be a barrier to adopting AI in your meetings — it is the framework that makes that adoption trustworthy.
Frequently asked questions
Is it mandatory to inform participants before recording a meeting?
Yes. UK GDPR (Art. 13) requires data subjects to be informed before their voice data is processed. Beyond data protection law, covertly recording workplace conversations without participants’ knowledge can also give rise to liability under the Investigatory Powers Act 2016 and breach the implied duty of trust and confidence in employment relationships.
Which lawful basis should be used to transcribe a professional meeting?
Legitimate interests (Art. 6(1)(f)) is the most commonly relied-upon basis, provided the organisation’s interests do not override the rights of participants. Consent may also be used, but it must be freely given, informed and withdrawable — conditions that are difficult to satisfy in a hierarchical workplace context.
How long can a meeting recording be retained?
The storage limitation principle (UK GDPR Art. 5(1)(e)) requires that data be kept only for as long as necessary for its purpose. In practice, audio should be deleted as soon as the transcript is validated; the transcript itself is typically retained for between 30 and 90 days, depending on the organisation’s document management policy.
Can an AI provider use my meeting recordings to train its models?
Not without explicit agreement. UK GDPR prohibits repurposing data for uses incompatible with the original purpose (Art. 5(1)(b)). A DPA compliant with Art. 28 must expressly state that the provider may not train its models on your data, nor share data with third parties without documented instructions from the controller.
What is a Data Processing Agreement (DPA) and when is it required?
A DPA is a contract required by UK GDPR Art. 28 whenever a third-party provider processes personal data on behalf of an organisation. It must specify the subject matter, duration, nature of the processing, security measures and the processor’s obligations. It is mandatory before deploying any AI transcription tool.
Is it problematic to host a transcription tool outside the UK?
Yes. Any transfer of personal data to a third country must be supported by an appropriate safeguard: an adequacy regulation, an International Data Transfer Agreement (IDTA), or Binding Corporate Rules approved by the ICO. Without documented safeguards, the transfer is unlawful.
What counts as personal data in a meeting transcript?
Voice, first name, surname, job title, opinions expressed and any indirect identifier that could allow a person to be recognised all constitute personal data under UK GDPR Art. 4(1). A written transcript of a meeting is therefore a processing activity subject to the full requirements of the regulation.