“Which app should we use?”
Few people discussing AI transcription tools and GDPR seemed to realise how much sensitive information these systems may actually process behind the scenes.
Recently I watched a Virtual Assistant ask a very normal question in an online business group:
“What’s the best transcription app for client calls?”
Within minutes, helpful recommendations poured in:
- Otter
- Fathom
- Rev
- Zoom AI tools
- automatic note takers
- AI summaries
Everyone was trying to help. The client seemed happy for the VA to choose a tool and get going.
But almost nobody in the conversation appeared to stop and ask what would actually happen to the client data once these tools were switched on.
That matters because the calls being discussed were highly likely to involve health-related information. In recent weeks I have seen similar discussions around potential children’s data too.
And this is where businesses can accidentally walk into a data privacy problem without even realising it.
Why AI transcription tools and GDPR matter together
Modern AI transcription tools are not just digital dictaphones. Depending on the platform and settings used, they may:
- record meetings
- create searchable transcripts
- generate AI summaries
- identify speakers
- store recordings in the cloud
- sync with calendars or CRMs
- allow access by assistants or team members
- retain transcripts for future searches
- process information outside the UK
Some tools also use additional subprocessors or AI systems behind the scenes.
That does not automatically make them “bad” or unusable. But it does mean businesses should understand what they are turning on before using them with client confidential information.
Why sensitive data changes the picture
The risks become more significant where conversations may involve:
- health information
- children’s data
- safeguarding
- SEN discussions
- family circumstances
- financial information
- disciplinary matters
- counselling or coaching conversations
- other special category or confidential data
For example, many aesthetics consultations will almost inevitably involve health-related information unless the business has deliberately separated that into another process.
Health data is special category data and has additional rules beyond ordinary personal data. Children’s data also has to be handled carefully.
Simply saying “this call may be recorded” may not always be enough if people do not properly understand that AI transcription, summaries, searchable transcripts or third-party processing are involved.
People may imagine a simple replay recording. They may not realise the conversation could also be:
- transcribed by AI
- analysed
- indexed
- stored externally
- processed overseas
- or made searchable later
And you can’t really blame them. Do you know off the top of your head where the tools you are using to record meetings are storing data, processing it, etc?
What should you check before switching one on?
- where is the data stored?
- who can access transcripts?
- are recordings retained automatically?
- are AI summaries enabled by default?
- can AI training features be disabled?
- are subprocessors listed?
- how does deletion work?
- who owns the transcript?
- can transcripts be searched later?
- does the tool fit the type of information being discussed?
Before enabling AI transcription tools for client calls, businesses should check things like:
A quick sales call for photocopier paper is not going to present the same risks to data privacy as a conversation about health, finance or a child. And you may be discussing commercially sensitive information that does not include personal data but still does not need to drift outside the group discussing it.
Now may be a good time to organise a GDPR health check or get updated. The speed of change is so rapid we can no longer rely on the thinking we had a couple of years ago.
The problem with “the VA picked a tool”
f you are choosing software for your own business, you still need to understand what the tool is doing with your meeting data before switching it on.
But the bigger issue is when a VA or team member turns on AI transcription tools for a client without their business client fully understanding what is happening behind the scenes.
That can create problems very quickly where calls may involve health information, children’s data, safeguarding concerns, financial discussions or confidential client situations.
These tools should never be used secretly, and people attending meetings should genuinely understand if AI transcription, summaries or searchable transcripts are being used — not just vaguely hear “this meeting may be recorded”.
If a business starts using AI transcription tools for meetings, that may also mean updating things like:
- data privacy policy
- internal procedures
- records of how and where personal data is processed (sometimes called a Record of Processing Activities or RoPA)
- Data Processing Agreements (DPA) with freelancers
because the business may now be handling meeting information very differently from before.
That is exactly why these tools should not simply be switched on because they look useful or save time.
You would never let someone you had only vaguely heard of, wander into a sensitive meeting and start making notes they could share with anyone. Why do we feel that somehow AI is magically safer than that? We are all familiar with the big brand names in the note-taker space, but few of us have any clue what they are sharing or storing.
