GDPR and cold calling: how to stay compliant

The introduction of the General Data Protection Regulation (GDPR) in 2018 has meant that businesses must modernise how they market their products and services based on customer consent.

While GDPR and cold calling aren't directly related, the regulation does affect how your business collects, stores and processes personal data.

If your business uses customer data to make cold calls, you must ensure that your data use is compliant with GDPR.

Non-compliance carries stiff penalties, with fines of up to €20 million or 4% of global business turnover.

GDPR and cold calling

Cold calling isn't directly affected by GDPR.

However, GDPR governs how personal customer data can be used to make cold calls, including using phone numbers and email addresses.

Article 6 of GDPR allows companies to use a person's personal data for any of the following six reasons:

The customer has given you their explicit consent for you to use their data;
To fulfil a contract with the customer;
To fulfil a legal obligation;
To protect the vital interests of an individual;
To carry out a task in the public interest;
To pursue legitimate interests, except when these interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

The two key considerations for companies with sales teams involved in cold calling are the first and last clauses on this list, which relate to consent and legitimate interests.

Consent, GDPR and cold calling

The biggest challenge for sales and marketing teams is customer consent.

You cannot assume that you have permission to call a potential customer just because you have their telephone number.

To comply with GDPR, consent has to be all of the following:

Clear and explicit

Consent must be clearly affirmative.

This means the customer must actively give the greenlight for their data to be used for specific purposes such as contact via telephone.

Not hearing from a customer or hiding away marketing preferences and assuming the customer is giving consent is not compliant.

For a specific organisation and specific purpose

This means companies can't share consent with third-parties.

Consent is for a specific purpose and you can't change the nature of what you're using data for without getting additional consent for this.

Consent to receive an email newsletter doesn't mean you can then contact them via telephone, for example.

Easy to withdraw

You must give customers easy options to opt out of consent, and you need to delete their data when consent is withdrawn.

In short, you need explicit permission to store personal data, even if that data is freely available on the web and accessible by anyone.

For example, you can't add a person's phone number to your sales database without permission - even if it is publicly listed - as this counts as processing personal data.

This means that you can't cold call a customer without their documented explicit consent, which effectively rules out cold calling consumers if you don't have their permission for that call.

However, the justification of legitimate interest makes things a little easier.

Legitimate use, GDPR and cold calling

Article 6 of GDPR gives businesses using cold calling grounds to do so if it is carried out as a legitimate interest.

Recital 47 of GDPR clarifies: "The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest."

In other words, businesses have a legitimate interest to market themselves to customers - which includes cold calling. However, your business's legitimate interest can be overridden by the interests, fundamental rights or freedoms of the data subject, in this case the customer.

In short, your right to cold call as a legitimate business interest must be balanced against the prospect's right not to be called.

That can make GDPR and cold calling a bit of a minefield. It's better to err on the side of caution and put in place processes that show your business has tried it capture, store and process data within GDPR guidelines.

GDPR and cold calling - how to keep compliant

Handle data in line with GDPR

This means setting out clear policies in your business detailing how personal data is captured, stored and used.

Ensure you have clear roles and rules in place that adhere to GDPR requirements.

Check customer consent when buying lists

Many businesses rely on sourcing third-party lists of leads to call. If buying lists from third-parties, ensure that all prospects on the list have given their consent for this information to be shared with you and given their consent to be contact by you for the purpose stated.

You must get proof of this consent before cold calling.

Use privacy technologies

Ensure phone calls are recorded and that conversations are stored securely and are encrypted.

Be selective about calling

Make sure sales teams identify prospects carefully to ensure there would be a legitimate interest in the customer wanting to find out more about your services or products.

Keep calls infrequent

Lots of calls in a short timeframe to the same customer would likely infringe GDPR if the customer felt inconvenienced by the amount of calls.

Have clear consent and opt out messages

Use follow up emails that explain why and how personal data is used and provide clear ways for customers to easily opt-out of further use of their data.