GDPR and cold calling: how to stay compliant
The introduction of the General Data Protection Regulation (GDPR) in 2018 has meant that businesses must modernise how they market their products and services based on customer consent.
While GDPR and cold calling aren't directly related, the regulation does affect how your business collects, stores and processes personal data.
If your business uses customer data to make cold calls, you must ensure that your data use is compliant with GDPR.
Non-compliance carries stiff penalties, with fines of up to €20 million or 4% of global business turnover.
GDPR and cold calling
Cold calling isn't directly affected by GDPR.
However, GDPR governs how personal customer data can be used to make cold calls, including using phone numbers and email addresses.
Article 6 of GDPR allows companies to use a person's personal data for any of the following six reasons:
The customer has given you their explicit consent for you to use their data;
- To fulfil a contract with the customer;
- To fulfil a legal obligation;
- To protect the vital interests of an individual;
- To carry out a task in the public interest;
- To pursue legitimate interests, except when these interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
The two key considerations for companies with sales teams involved in cold calling are the first and last clauses on this list, which relate to consent and legitimate interests.
Consent, GDPR and cold calling
The biggest challenge for sales and marketing teams is customer consent.
You cannot assume that you have permission to call a potential customer just because you have their telephone number.
To comply with GDPR, consent has to be all of the following:
Clear and explicit
Consent must be clearly affirmative.
This means the customer must actively give the greenlight for their data to be used for specific purposes such as contact via telephone.
Not hearing from a customer or hiding away marketing preferences and assuming the customer is giving consent is not compliant.
For a specific organisation and specific purpose
This means companies can't share consent with third-parties.
Consent is for a specific purpose and you can't change the nature of what you're using data for without getting additional consent for this.
Consent to receive an email newsletter doesn't mean you can then contact them via telephone, for example.
Easy to withdraw
You must give customers easy options to opt out of consent, and you need to delete their data when consent is withdrawn.
In short, you need explicit permission to store personal data, even if that data is freely available on the web and accessible by anyone.
For example, you can't add a person's phone number to your sales database without permission - even if it is publicly listed - as this counts as processing personal data.
This means that you can't cold call a customer without their documented explicit consent, which effectively rules out cold calling consumers if you don't have their permission for that call.
However, the justification of legitimate interest makes things a little easier.
Legitimate use, GDPR and cold calling
Article 6 of GDPR gives businesses using cold calling grounds to do so if it is carried out as a legitimate interest.
Recital 47 of GDPR clarifies: "The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest."
In other words, businesses have a legitimate interest to market themselves to customers - which includes cold calling. However, your business's legitimate interest can be overridden by the interests, fundamental rights or freedoms of the data subject, in this case the customer.
In short, your right to cold call as a legitimate business interest must be balanced against the prospect's right not to be called.
That can make GDPR and cold calling a bit of a minefield. It's better to err on the side of caution and put in place processes that show your business has tried it capture, store and process data within GDPR guidelines.
GDPR and cold calling - how to keep compliant
Handle data in line with GDPR
This means setting out clear policies in your business detailing how personal data is captured, stored and used.
Ensure you have clear roles and rules in place that adhere to GDPR requirements.
Check customer consent when buying lists
Many businesses rely on sourcing third-party lists of leads to call. If buying lists from third-parties, ensure that all prospects on the list have given their consent for this information to be shared with you and given their consent to be contact by you for the purpose stated.
You must get proof of this consent before cold calling.
Use privacy technologies
Ensure phone calls are recorded and that conversations are stored securely and are encrypted.
Be selective about calling
Make sure sales teams identify prospects carefully to ensure there would be a legitimate interest in the customer wanting to find out more about your services or products.
Keep calls infrequent
Lots of calls in a short timeframe to the same customer would likely infringe GDPR if the customer felt inconvenienced by the amount of calls.
Have clear consent and opt out messages
Use follow up emails that explain why and how personal data is used and provide clear ways for customers to easily opt-out of further use of their data.
Learn with Start Up Loans and boost your marketing skills
Want to market your start-up business? Check our free online courses in partnership with the Open University on effective marketing techniques.
Our free Learn with Start Up Loans courses include:
- Marketing in the 21st Century
- First steps in innovation and entrepreneurship
- Entrepreneurial impressions – reflection
Plus free courses on climate and sustainability, teamwork, entrepreneurship, mental health and wellbeing.
Disclaimer: The Start -Up Loans Company makes reasonable efforts to keep the content of this article up to date, but we do not guarantee or warrant (implied or otherwise) that it is current, accurate or complete. This article is intended for general information purposes only and does not constitute advice of any kind, including legal, financial, tax or other professional advice. You should always seek professional or specialist advice or support before doing anything on the basis of the content of this article.
The Start-Up Loans Company is not liable for any loss or damage (foreseeable or not) that may come from relying on this article, whether as result of our negligence, breach of contract or otherwise. “Loss” includes (but is not limited to) any direct, indirect or consequential loss, loss of income, revenue, benefits, profits, opportunity, anticipated savings, data. We do not exclude liability for any liability which cannot be excluded or limited under English law. Reference to any person, organisation, business or event does not constitute an endorsement or recommendation from The Start-Up Loans Company, its parent company British Business Bank plc, or the UK Government.
Your previously read articles
Apply for a Start Up Loan
We've helped over 100,000 businesses get off the ground with a Start Up Loan. Can we help make your business dream a reality?
Find out more for a start up loanEssential guide to starting a business
Our Essential Guide to Starting a Business is your roadmap to turn your business idea into a reality.
Across 12 chapters, you'll discover a wealth of information designed to empower and equip you with the knowledge needed to successfully launch and manage your new venture.
Sign up for our newsletter
Just add your details to receive updates and news from Start Up Loans
Sign up to our newsletter