UK GDPR, Article 4(2), definition of ‘processing’, legislation.gov.uk
UK GDPR Article 32(1), Security of processing, requires organisations to implement “appropriate technical and organisational measures to ensure a level of security appropriate to the risk.” The regulation lists examples including pseudonymisation, encryption, and the ability to ensure ongoing confidentiality. It does not limit its scope to digital information.
Information only, not legal advice; confirm interpretation with your legal team.
Personal data discussed aloud is still personal data, and securing it against being overheard falls within the scope of Article 32. Processing is defined broadly in Article 4(2) to include “disclosure by transmission, dissemination or otherwise making available,” and the ICO’s data-security guidance treats the physical security of premises, controlling who can access or overhear them, as relevant to the Article 32 obligation. On this view, a conversation in which personal data is discussed, a client review meeting, an HR discussion, a medical consultation, can engage that security obligation.
The risk is not theoretical. The ICO has taken enforcement action against organisations where inadequate controls led to personal data being disclosed, including incidents involving information that could be overheard in reception areas and open-plan offices. Where the matter involves sensitive categories of personal data (health, financial, legal status), the consequences of a disclosure are correspondingly more serious.
What a controller requires: The “appropriate technical measures” test
A regulator assessing your Article 32 compliance will ask: what specific, documented technical control did you implement to address the risk of unauthorised verbal disclosure? The answer must be specific, not “we close the door” but a documented measure with a measurable outcome.
A commissioned acoustic masking installation, with a written commissioning report confirming that STI falls below 0.20 in the relevant receiving spaces, is exactly such a control. It is specific, measurable, proportionate, and auditable. (The descriptive thresholds for “Confidential” speech privacy in ANSI/ASA S12.70-2016 (R2025) are drawn from a US standard scoped to healthcare facilities, but the underlying STI metric is a recognised, general measure of speech intelligibility.)
→ UK GDPR Article 32(1): security appropriate to the risk
→ ICO Accountability Framework: documented technical controls
→ ICO data-security guidance: physical security within scope of Article 32
Information only, not legal advice; confirm interpretation with your legal team.
Which organisations are affected?
UK GDPR applies to every organisation that discusses personal data, which includes virtually every business and professional practice in the United Kingdom that has client relationships, employs staff, or conducts meetings about individuals.
The obligation is not sector-specific. It applies equally to a five-person accountancy practice and a 500-person financial services firm. The level of technical control required is proportionate to the risk and the sensitivity of the data discussed, but the obligation to implement appropriate measures is universal.
Regulated sectors, financial services, legal, healthcare, HR, face additional sector-specific obligations layered on top of UK GDPR. These are addressed in the sectors below.
Sound masking as a documented compliance measure
The ICO Accountability Framework, the document against which controllers are assessed in an audit, requires documented evidence that security measures have been considered and implemented at a level appropriate to the risk. An installation report is direct evidence.
In a Data Protection Impact Assessment (DPIA) for a high-risk processing activity, an acoustic masking installation addresses the “technical measures for confidentiality” field with a specific, verifiable answer rather than a generic assurance.
The Financial Conduct Authority expects authorised firms to maintain robust governance and adequate systems and controls. SYSC 4.1.1R provides that “a firm must have robust governance arrangements, which include… effective processes to identify, manage, monitor and report the risks it is or might be exposed to, and internal control mechanisms, including sound administrative and accounting procedures and effective control and safeguard arrangements for information processing systems.” SYSC 6.1.1R adds a related expectation that firms establish, implement and maintain adequate policies and procedures to comply with their regulatory obligations.
In our view, where a firm’s meetings discuss client positions, investment strategies, or market-sensitive material, a careful reading of these systems-and-controls expectations, together with the UK GDPR Article 32 security duty, supports treating the physical security of those discussions, not only the digital security of recorded data, as a relevant risk to identify and manage. This is our interpretation of how the rules may apply, not a quotation of rule text, and it should be confirmed with your own compliance and legal advisers.
The wider point is that the question a firm should be able to answer is a practical one: what specific measures are in place so that confidential or sensitive discussions cannot readily be overheard by people who are not party to them?
SMCR accountability: Senior Manager responsibility for systems and controls
Under the Senior Managers and Certification Regime (SMCR), named Senior Managers are accountable for the systems and controls in their area. On our reading, where a firm has not considered the risk of confidential discussions being overheard, that is a gap a Senior Manager would be expected to be able to account for, alongside the firm’s wider organisational measures.
→ SYSC 4.1.1R: robust governance and effective risk processes
→ SYSC 6.1.1R: adequate policies and procedures
→ UK GDPR Article 32(1): security appropriate to the risk
→ SMCR: Senior Manager accountability for systems and controls
Information only, not legal advice; confirm interpretation with your legal team.
The practical risk in a financial services office
A client meeting discussing a portfolio review, a trading strategy, or a significant investment event takes place in a meeting room. The corridor outside that room connects to the reception area, to waiting clients, and to other advisers. Without an acoustic control in the corridor, the content of that meeting is frequently audible, and potentially followable, to people who are not party to it.
Where the meeting involves client-confidential material, this is a client confidentiality and data protection risk. Where it involves market-sensitive information, the consequences of an inadvertent disclosure can be more serious still. In either case, the practical question is the same: what specific measures did you have in place to prevent it?
A masking installation in the corridor outside client meeting rooms is a direct, proportionate answer to that question.
The Solicitors Regulation Authority Codes of Conduct address confidentiality at Paragraph 6.3, which appears in both the Code of Conduct for Solicitors and the Code of Conduct for Firms: “You keep the affairs of current and former clients confidential unless disclosure is required or permitted by law or the client consents.” This obligation is not limited to written communications, files, or digital records. It extends to anything discussed in the course of the retainer, including what is said in a meeting room, a consultation room, or a telephone call.
Information only, not legal advice; confirm interpretation with your legal team.
The SRA’s 2020/21 Information and cyber security Risk Outlook advised that firms should “make sure that unauthorised parties cannot overhear or see a confidential meeting or materials.” That guidance was framed largely around remote and video meetings, but the underlying principle, that confidential discussions should not be overheard by people outside them, applies equally to a firm’s physical premises. On that basis, it is prudent for firms to consider the risk of unauthorised disclosure arising from their office environment.
In a law firm, the risk is particularly acute because of the nature of client matters: criminal proceedings, matrimonial disputes, property transactions, employment claims, and commercial litigation all involve information that is legally privileged and that clients have a reasonable expectation will not be accessible to third parties, including other clients in the waiting room.
Risk to legal professional privilege: Privilege and physical disclosure
Legal professional privilege, both legal advice privilege and litigation privilege, can be lost if privileged material is disclosed, even inadvertently, to a third party who is not party to the privileged communication. A conversation between a solicitor and client overheard by another person in the firm’s premises could constitute a disclosure that puts the privilege at risk, depending on context and the nature of the information.
→ SRA Codes of Conduct, para 6.3: client confidentiality (Solicitors and Firms)
→ SRA Risk Outlook: avoiding confidential meetings being overheard
→ Privilege: risk of inadvertent disclosure to third parties
Information only, not legal advice; confirm interpretation with your legal team.
The waiting room problem
In a legal practice, the reception and waiting room is the highest-risk acoustic space. Clients arriving for their own matter sit within hearing distance of the front desk (where other matters are discussed), adjacent to consultation rooms, and often within audible range of open-plan fee-earner areas.
The same people who represent the firm’s professional obligation to their own clients are simultaneously potential unauthorised recipients of another client’s confidential information.
Masking in the reception and corridor areas addresses this risk at its source, without requiring building work or changes to office layout.
Discussions about employee pay, performance management, disciplinary proceedings, absence, and personal circumstances all constitute the processing of personal data under UK GDPR. Where those discussions involve health information, trade union matters, or other special categories of personal data, they are subject to the additional protections of Article 9, which requires a stricter basis for processing and a higher standard of security.
An HR meeting that is overheard through a partition wall by another employee, overheard in a corridor by a passing manager, or audible to a receptionist from an adjacent office may amount to a disclosure of personal data, and potentially of special category personal data, without a lawful basis. Depending on the circumstances, this can constitute a personal data breach within the meaning of UK GDPR Article 4(12), which the organisation may be required to report to the ICO under Article 33.
Information only, not legal advice; confirm interpretation with your legal team.
Employment law creates a separate layer of obligation. Employees have a right to expect that matters affecting their employment, especially disciplinary proceedings and personal health information, will not be disclosed to their colleagues without their consent. A failure to provide a physically confidential environment for HR meetings creates potential claims in the Employment Tribunal.
CIPD guidance: The CIPD position on confidential HR meetings
The Chartered Institute of Personnel and Development (CIPD) guidance on disciplinary and grievance procedures emphasises that hearings must be conducted in a way that preserves confidentiality, both for the subject of the hearing and for any witnesses. The physical environment of the meeting room is directly relevant to this requirement.
→ UK GDPR Article 9: special category employee data
→ UK GDPR Article 33: mandatory breach reporting
→ Employment law: right to confidentiality in disciplinary proceedings
→ CIPD: confidential meeting environments for HR proceedings
Payroll discussions
Discussions about individual employee pay, including pay reviews, bonus decisions, and dispute resolution, are among the most sensitive categories of information in a workplace. Disclosure of one employee’s pay to their colleagues, even inadvertent disclosure through a partition wall, has significant potential for employment relations damage, discrimination claims, and equal pay liability.
Salary information is personal data. A payroll discussion overheard in the corridor can amount to a personal data breach. Inadequate physical controls that allow sensitive personal information to be overheard are the kind of shortcoming the ICO expects organisations to address as part of their security obligations.
Performance management and sickness
An absence review meeting that discusses an employee’s health condition is processing special category data under UK GDPR Article 9. The Article 32 security obligation applies at its highest level, technical measures must be appropriate to protect information of this sensitivity.
A meeting room used for this purpose, without acoustic control in the adjacent corridor, does not meet this standard in most standard commercial office layouts.
Organisation type
UK GDPR, ICO
Primary regulatory framework: UK GDPR, ICO
Relevant obligations: Article 32(1): appropriate technical and organisational measures, security appropriate to the risk, covering personal data discussed aloud
Evidence required: Documented technical control; Data Protection Impact Assessment entry
→ Financial advisers, wealth managers, brokers
All organisations
Financial services
Legal practices
HR professionals
Alternatively, find your scenario or get a budget estimate.