Regulatory obligations

Your Sector

Every professional organisation that discusses personal data, finances, legal matters, or employment has a documented obligation to protect confidential spoken information. Here is how those obligations arise, and what a demonstrable technical control looks like to a regulator.

“…disclosure by transmission, dissemination or otherwise making available…”

UK GDPR, Article 4(2), definition of ‘processing’, legislation.gov.uk

Personal data discussed aloud is still personal data, and securing it against being overheard falls within the scope of Article 32. A conversation about a client, employee, or customer can therefore engage UK GDPR. On that basis, the obligations that follow, security, accountability, and demonstrable technical controls, apply to what is said in your meetings, not only to what is stored in your systems.

UK GDPR, Article 32 and the duty to protect spoken personal data

UK GDPR Article 32(1) requires “appropriate technical and organisational measures to ensure a level of security appropriate to the risk.” Personal data discussed aloud is still personal data, and securing it against being overheard falls within the scope of Article 32. A documented acoustic masking installation provides a specific, measurable technical control against the risk of unauthorised verbal disclosure.

UK GDPR Article 32(1), Security of processing, requires organisations to implement “appropriate technical and organisational measures to ensure a level of security appropriate to the risk.” The regulation lists examples including pseudonymisation, encryption, and the ability to ensure ongoing confidentiality. It does not limit its scope to digital information.

Information only, not legal advice; confirm interpretation with your legal team.

Personal data discussed aloud is still personal data, and securing it against being overheard falls within the scope of Article 32. Processing is defined broadly in Article 4(2) to include “disclosure by transmission, dissemination or otherwise making available,” and the ICO’s data-security guidance treats the physical security of premises, controlling who can access or overhear them, as relevant to the Article 32 obligation. On this view, a conversation in which personal data is discussed, a client review meeting, an HR discussion, a medical consultation, can engage that security obligation.

The risk is not theoretical. The ICO has taken enforcement action against organisations where inadequate controls led to personal data being disclosed, including incidents involving information that could be overheard in reception areas and open-plan offices. Where the matter involves sensitive categories of personal data (health, financial, legal status), the consequences of a disclosure are correspondingly more serious.

What a controller requires: The “appropriate technical measures” test

A regulator assessing your Article 32 compliance will ask: what specific, documented technical control did you implement to address the risk of unauthorised verbal disclosure? The answer must be specific, not “we close the door” but a documented measure with a measurable outcome.

A commissioned acoustic masking installation, with a written commissioning report confirming that STI falls below 0.20 in the relevant receiving spaces, is exactly such a control. It is specific, measurable, proportionate, and auditable. (The descriptive thresholds for “Confidential” speech privacy in ANSI/ASA S12.70-2016 (R2025) are drawn from a US standard scoped to healthcare facilities, but the underlying STI metric is a recognised, general measure of speech intelligibility.)

→ UK GDPR Article 32(1): security appropriate to the risk
→ ICO Accountability Framework: documented technical controls
→ ICO data-security guidance: physical security within scope of Article 32

Information only, not legal advice; confirm interpretation with your legal team.

Which organisations are affected?

UK GDPR applies to every organisation that discusses personal data, which includes virtually every business and professional practice in the United Kingdom that has client relationships, employs staff, or conducts meetings about individuals.

The obligation is not sector-specific. It applies equally to a five-person accountancy practice and a 500-person financial services firm. The level of technical control required is proportionate to the risk and the sensitivity of the data discussed, but the obligation to implement appropriate measures is universal.

Regulated sectors, financial services, legal, healthcare, HR, face additional sector-specific obligations layered on top of UK GDPR. These are addressed in the sectors below.

Sound masking as a documented compliance measure

The ICO Accountability Framework, the document against which controllers are assessed in an audit, requires documented evidence that security measures have been considered and implemented at a level appropriate to the risk. An installation report is direct evidence.

In a Data Protection Impact Assessment (DPIA) for a high-risk processing activity, an acoustic masking installation addresses the “technical measures for confidentiality” field with a specific, verifiable answer rather than a generic assurance.

The Science, how masking achieves confidential privacy.

FCA, systems and controls for financial services firms

FCA-authorised firms are expected to maintain robust systems and controls. We read the general systems-and-controls expectations in SYSC 4.1.1R and SYSC 6.1.1R, alongside the UK GDPR Article 32 security duty that applies to all organisations, as relevant to the physical security of client-confidential discussions. A demonstrable speech privacy control, with a written commissioning report, is one way a firm might evidence an organisational measure of this kind.

The Financial Conduct Authority expects authorised firms to maintain robust governance and adequate systems and controls. SYSC 4.1.1R provides that “a firm must have robust governance arrangements, which include… effective processes to identify, manage, monitor and report the risks it is or might be exposed to, and internal control mechanisms, including sound administrative and accounting procedures and effective control and safeguard arrangements for information processing systems.” SYSC 6.1.1R adds a related expectation that firms establish, implement and maintain adequate policies and procedures to comply with their regulatory obligations.

In our view, where a firm’s meetings discuss client positions, investment strategies, or market-sensitive material, a careful reading of these systems-and-controls expectations, together with the UK GDPR Article 32 security duty, supports treating the physical security of those discussions, not only the digital security of recorded data, as a relevant risk to identify and manage. This is our interpretation of how the rules may apply, not a quotation of rule text, and it should be confirmed with your own compliance and legal advisers.

The wider point is that the question a firm should be able to answer is a practical one: what specific measures are in place so that confidential or sensitive discussions cannot readily be overheard by people who are not party to them?

SMCR accountability: Senior Manager responsibility for systems and controls

Under the Senior Managers and Certification Regime (SMCR), named Senior Managers are accountable for the systems and controls in their area. On our reading, where a firm has not considered the risk of confidential discussions being overheard, that is a gap a Senior Manager would be expected to be able to account for, alongside the firm’s wider organisational measures.

→ SYSC 4.1.1R: robust governance and effective risk processes
→ SYSC 6.1.1R: adequate policies and procedures
→ UK GDPR Article 32(1): security appropriate to the risk
→ SMCR: Senior Manager accountability for systems and controls

Information only, not legal advice; confirm interpretation with your legal team.

The practical risk in a financial services office

A client meeting discussing a portfolio review, a trading strategy, or a significant investment event takes place in a meeting room. The corridor outside that room connects to the reception area, to waiting clients, and to other advisers. Without an acoustic control in the corridor, the content of that meeting is frequently audible, and potentially followable, to people who are not party to it.

Where the meeting involves client-confidential material, this is a client confidentiality and data protection risk. Where it involves market-sensitive information, the consequences of an inadvertent disclosure can be more serious still. In either case, the practical question is the same: what specific measures did you have in place to prevent it?

A masking installation in the corridor outside client meeting rooms is a direct, proportionate answer to that question.

SRA, confidentiality obligations for solicitors and law firms

The SRA Codes of Conduct require solicitors and firms to keep client matters confidential unless disclosure is required or permitted by law or the client consents (paragraph 6.3 in both Codes). The SRA’s information and cyber security Risk Outlook has highlighted the need to prevent unauthorised parties overhearing confidential meetings. On our reading, a firm whose waiting room or corridor allows client meetings to be overheard has an identifiable confidentiality risk worth addressing.

The Solicitors Regulation Authority Codes of Conduct address confidentiality at Paragraph 6.3, which appears in both the Code of Conduct for Solicitors and the Code of Conduct for Firms: “You keep the affairs of current and former clients confidential unless disclosure is required or permitted by law or the client consents.” This obligation is not limited to written communications, files, or digital records. It extends to anything discussed in the course of the retainer, including what is said in a meeting room, a consultation room, or a telephone call.

Information only, not legal advice; confirm interpretation with your legal team.

The SRA’s 2020/21 Information and cyber security Risk Outlook advised that firms should “make sure that unauthorised parties cannot overhear or see a confidential meeting or materials.” That guidance was framed largely around remote and video meetings, but the underlying principle, that confidential discussions should not be overheard by people outside them, applies equally to a firm’s physical premises. On that basis, it is prudent for firms to consider the risk of unauthorised disclosure arising from their office environment.

In a law firm, the risk is particularly acute because of the nature of client matters: criminal proceedings, matrimonial disputes, property transactions, employment claims, and commercial litigation all involve information that is legally privileged and that clients have a reasonable expectation will not be accessible to third parties, including other clients in the waiting room.

Risk to legal professional privilege: Privilege and physical disclosure

Legal professional privilege, both legal advice privilege and litigation privilege, can be lost if privileged material is disclosed, even inadvertently, to a third party who is not party to the privileged communication. A conversation between a solicitor and client overheard by another person in the firm’s premises could constitute a disclosure that puts the privilege at risk, depending on context and the nature of the information.

→ SRA Codes of Conduct, para 6.3: client confidentiality (Solicitors and Firms)
→ SRA Risk Outlook: avoiding confidential meetings being overheard
→ Privilege: risk of inadvertent disclosure to third parties

Information only, not legal advice; confirm interpretation with your legal team.

The waiting room problem

In a legal practice, the reception and waiting room is the highest-risk acoustic space. Clients arriving for their own matter sit within hearing distance of the front desk (where other matters are discussed), adjacent to consultation rooms, and often within audible range of open-plan fee-earner areas.

The same people who represent the firm’s professional obligation to their own clients are simultaneously potential unauthorised recipients of another client’s confidential information.

Masking in the reception and corridor areas addresses this risk at its source, without requiring building work or changes to office layout.

HR and payroll, employee data, disciplinary proceedings, and health information

Employee data is personal data. Discussions about pay, performance, disciplinary matters, sickness, or personal circumstances involve the processing of personal data, and engage the additional protections of UK GDPR Article 9 where they concern special category data (health, ethnicity, religion, trade union membership). An HR meeting overheard through a partition wall may amount to a personal data breach where the content involves special category data, with potential reporting obligations and employment law consequences.

Discussions about employee pay, performance management, disciplinary proceedings, absence, and personal circumstances all constitute the processing of personal data under UK GDPR. Where those discussions involve health information, trade union matters, or other special categories of personal data, they are subject to the additional protections of Article 9, which requires a stricter basis for processing and a higher standard of security.

An HR meeting that is overheard through a partition wall by another employee, overheard in a corridor by a passing manager, or audible to a receptionist from an adjacent office may amount to a disclosure of personal data, and potentially of special category personal data, without a lawful basis. Depending on the circumstances, this can constitute a personal data breach within the meaning of UK GDPR Article 4(12), which the organisation may be required to report to the ICO under Article 33.

Information only, not legal advice; confirm interpretation with your legal team.

Employment law creates a separate layer of obligation. Employees have a right to expect that matters affecting their employment, especially disciplinary proceedings and personal health information, will not be disclosed to their colleagues without their consent. A failure to provide a physically confidential environment for HR meetings creates potential claims in the Employment Tribunal.

CIPD guidance: The CIPD position on confidential HR meetings

The Chartered Institute of Personnel and Development (CIPD) guidance on disciplinary and grievance procedures emphasises that hearings must be conducted in a way that preserves confidentiality, both for the subject of the hearing and for any witnesses. The physical environment of the meeting room is directly relevant to this requirement.

→ UK GDPR Article 9: special category employee data
→ UK GDPR Article 33: mandatory breach reporting
→ Employment law: right to confidentiality in disciplinary proceedings
→ CIPD: confidential meeting environments for HR proceedings

Payroll discussions

Discussions about individual employee pay, including pay reviews, bonus decisions, and dispute resolution, are among the most sensitive categories of information in a workplace. Disclosure of one employee’s pay to their colleagues, even inadvertent disclosure through a partition wall, has significant potential for employment relations damage, discrimination claims, and equal pay liability.

Salary information is personal data. A payroll discussion overheard in the corridor can amount to a personal data breach. Inadequate physical controls that allow sensitive personal information to be overheard are the kind of shortcoming the ICO expects organisations to address as part of their security obligations.

Performance management and sickness

An absence review meeting that discusses an employee’s health condition is processing special category data under UK GDPR Article 9. The Article 32 security obligation applies at its highest level, technical measures must be appropriate to protect information of this sensitivity.

A meeting room used for this purpose, without acoustic control in the adjacent corridor, does not meet this standard in most standard commercial office layouts.

At a glance

Regulatory obligations by sector

Organisation type

Primary regulatory framework
Relevant obligations
Evidence required
All organisations

UK GDPR, ICO

Article 32(1): appropriate technical and organisational measures, security appropriate to the risk, covering personal data discussed aloud
Documented technical control; Data Protection Impact Assessment entry
Financial advisers, wealth managers, brokers
FCA, SYSC / SMCR (with UK GDPR)
General systems-and-controls expectations (SYSC 4.1.1R, 6.1.1R) read with the Article 32 security duty; Senior Manager accountability (our interpretation)
Written control documentation; commissioning report; SMCR allocation
Solicitors and law firms
SRA Codes of Conduct
Client confidentiality (para 6.3) read as extending to the physical environment; privilege protection; SRA Risk Outlook guidance on overhearing
Practice management documentation; physical security assessment evidence
HR professionals, in-house HR
UK GDPR Art. 9 / CIPD / Employment law
Special category employee data protection; confidential disciplinary and grievance processes; payroll confidentiality
Data Protection Impact Assessment; physical environment documentation
→ All organisations

Primary regulatory framework: UK GDPR, ICO

Relevant obligations: Article 32(1): appropriate technical and organisational measures, security appropriate to the risk, covering personal data discussed aloud

Evidence required: Documented technical control; Data Protection Impact Assessment entry

→ Financial advisers, wealth managers, brokers

Primary regulatory framework: FCA, SYSC / SMCR (with UK GDPR)
Relevant obligations: General systems-and-controls expectations (SYSC 4.1.1R, 6.1.1R) read with the Article 32 security duty; Senior Manager accountability (our interpretation)
Evidence required: Written control documentation; commissioning report; SMCR allocation
→ Solicitors and law firms
Primary regulatory framework: SRA Codes of Conduct
Relevant obligations: Client confidentiality (para 6.3) read as extending to the physical environment; privilege protection; SRA Risk Outlook guidance on overhearing
Evidence required: Practice management documentation; physical security assessment evidence
→ HR professionals, in-house HR
Primary regulatory framework: UK GDPR Art. 9 / CIPD / Employment law
Relevant obligations: Special category employee data protection; confidential disciplinary and grievance processes; payroll confidentiality
Evidence required: Data Protection Impact Assessment; physical environment documentation

Installation

Which framework applies to you?

Most regulated offices have more than one framework that may apply. A law firm with employed staff is subject to both the SRA Codes of Conduct and to UK GDPR (including Article 9) in respect of its employees. A financial services firm with in-house HR carries FCA systems-and-controls expectations, UK GDPR obligations, and employment law obligations at the same time.

All organisations

UK GDPR Article 32(1) for any meeting where personal data is discussed.

Financial services

FCA SYSC systems-and-controls expectations in addition (our interpretation).

Legal practices

SRA Codes of Conduct confidentiality obligation (para 6.3) in addition.

HR professionals

UK GDPR Article 9 and employment law in addition.
Important, please read
The references to legislation, regulations and professional codes on this page are provided for general information only. They reflect our best interpretation of how acoustic privacy may relate to these obligations and do not constitute legal advice or a legally informed assessment of your circumstances. The exact interpretation and application of these rules depends on your situation. Before relying on any of them, please discuss them with your own legal advisers and data protection or privacy officers.

Understand Further

Understand the technical solution

The regulatory obligations explain why speech privacy matters. The science explains how masking achieves it, with a measurable, documented outcome.