Can businesses still cold call under GDPR? YES THEY CAN!!

Article published: Monday, July 14, 2025

Updated: Original article published July 9th 2018

GDPR regulations provide strict guidelines on the use of personal data including phone numbers. It goes without saying that this has an impact on any data-driven marketing channel, not least of which telemarketing.

Since the regulations have taken effect, we’ve had many discussions with both existing and prospective clients to give assurance of what they can and cannot do under GDPR. In particular, whether they can use personal data to cold call individuals without explicit consent to continue to promote their products and services. The simple answer is YES. Both under GDPR and, more recently, the UK Data (Use and Access) Act 2025 businesses can still cold call but the legislation ensures this is done in a responsible way, only where there is a ‘Legitimate interest’ to do so, and where the interests, rights and freedoms of the individual are protected.

Whilst legitimate interest is a flexible option for processing personal data, it is not a lazy, catch-all workaround. It is a solid legal basis under which reputable businesses can continue to market their products and services responsibly. There are some simple steps that need to be taken to weigh the balance between business interests and the rights of the individual, but using readily available resources, this need not be onerous.

We look at how legitimate interest applies as a legal basis for cold calling. We explore the simple steps you need to take when marketing under 'Legitimate interest' and highlight some useful resources that will help you do so.

Article 6 - Lawful processing

GDPR regulations set out six lawful bases under which a business can use personal data legally as part of their business activities. At least one of these must apply whenever you process personal data. Four of the six clauses cover very specific scenarios and it is fairly clear how and when these apply. Clauses a) and f) are the two that are most relevant in the discussion around direct marketing, so let’s dig into the detail a little more.

Consent

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

The word ‘clear’ is important here and the regulations expand on this to say consent must be ‘explicit’. That means it doesn’t just need to be clear to the individual that they have consented to receive marketing materials from you, they must understand what type of marketing they are signing up to and how they will be marketed to. If, for example, an individual has agreed for you to email them details of a new product, it does not mean you can phone them, even if the call relates to that same product. As ‘cold calling’ by definition means the individual is not expecting a call, it has no relationship at all to ‘consent’ based marketing.

Legitimate interests

The sixth clause in Article 6, ‘Legitimate interests’ states:

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual's personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

This clause relates also to Article 16 of the European Charter of Fundamental Rights, the ‘freedom to conduct a business’ which basically confirms the right to supply goods and services and generate profit, provided your business activities comply with the law.

Recital 47 of the GDPR clarifies further:

"The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest."

So, under both GDPR and the updated UK Data (Use and Access) Act 2025, organisations are entitled to process personal data to carry out their usual business activities and this can include direct marketing.

The second part of the legitimate interest clause then qualifies that those activities must not override ‘the interests or fundamental rights and freedoms of the data subject’. This is the key to using legitimate interest appropriately as a legal basis for direct marketing and cold calling. You must ensure that whilst marketing your products and services, you are also protecting the rights of any individual you market to.

There are some basic steps that need to be taken to ensure you ‘balance’ your interests with the rights of the individual, and to demonstrate you are doing so on an ongoing basis.

A ‘Balancing Act’

Self-assessment is an important part of GDPR and ICO identifies three key elements of using the legitimate interests basis:

1) Identify a ‘Legitimate interest’
This simply means confirming what benefit you are trying to achieve for your business in processing the data. This might be a benefit for the company itself – processing your payroll for example, or a benefit to the wider society, such as creating employment.

2) Show that the processing is necessary to achieve this ‘Legitimate interest’
Here you need to explain how the processing will help you achieve your aim and why this is the best approach.

3) Protecting the rights of the data subject
In the context of cold calling, this means considering the rights of the individual not to have their privacy invaded by unsolicited calls. The GDPR regulations (and Ofcom’s guidance) require you to take care not to cause individuals distress through your use or misuse of their personal data, but also takes account of the level of potential distress and what an individual might reasonably expect.

So, when using legitimate interests as the basis for your cold calling campaign to promote your products and services, you must consider the level of distress your call might cause the recipient.

ICO breaks the process into a simple three-part test based on the three elements above:

• The Purpose Test

• The Necessity Test

• The Balance Test

ICO continues to provide a handy ‘legitimate interests assessment’ (LIA) template, which walks you step by step through the process and allows you to document the provisions you have made in using legitimate Interest as your legal basis. Once complete, this document allows you to demonstrate that your business is acting responsibly and taking into consideration the impact of your processing activities. As your marketing campaign evolves, it is important that you continue to assess your use of legitmate interest and ensure that your reasoning remains valid.

UK Data (Use and Access) Act 2025

The concept of legitimate interest as a lawful basis for processing personal data has raised challenges for businesses trying to determine whether their interests genuinely outweigh the privacy rights of individuals.

The introduction of the UK Data (Use and Access) Act 2025 seeks to modernise and simplify data handling, support digital identity services, and encourage innovation through Smart Data schemes. One of its key features is also to bring greater clarity around the concept of legitimate interest by:

Introducing 'Recognised Legitimate Interests':
Schedule 4 of the Act sets out a list of specific purposes for which organisations do not need to carry out the traditional 'balancing test' to rely on legitimate interest. This change gives organisations greater legal certainty when relying on those specific interests.

Examples and guidance:
While direct marketing remains subject to the standard assessment process, the Act also offers examples of types of processing that may be considered necessary for legitimate interests—including direct marketing. This clarification is a particularly welcome development for marketers, many of whom have struggled with the grey areas of GDPR compliance in this area.

Clarifying Data Subject Access Requests (DSARs):

• The Act sets out clearer timelines for responding to DSARs, especially where identity verification or further scoping is needed.

• It confirms that organisations are only required to provide data based on a reasonable and proportionate search, which helps prevent the burden of excessive or overly broad requests.

Overall, while the core principles of GDPR remain intact, the UK Data (Use and Access) Act 2025 introduces greater operational clarity and practical flexibility, especially for organisations navigating complex or high-volume data environments.

For marketers relying on legitimate interest, the requirements around balancing privacy rights remain unchanged, but the enhanced guidance may make compliance easier to interpret and apply.

Telemarketing best practice

Whilst GDPR regulations force you to formally evaluate and document the impact of your marketing efforts or cold calling campaign, much of this is really a case of good practice. Irrespective of GDPR, any responsible company would be averse to causing their prospects distress, and any reputable telemarketing agency would have processes in place to avoid a negative impact on the recipient of the call. These should include:

• TPS/CTPS screening as standard

• Easy access to call histories and number look-ups so callers know and can explain exactly where the data they are calling came from.

• Easy opt-out and clear privacy policies that explain how you use the data you process. Under GDPR (Individual Rights) this should also provide mechanisms for individuals to easily exercise their ‘right to object’, their ‘right to be forgotten’, their ‘right to rectification’ and/ or submit a Data Subject Access Request.

• Systems that manage the number of times any number is called.

• Technologies that protect the individual’s data such as call obfuscation to ensure protection of sensitive payment details, encrypted call recordings, data transfer via secure FTP.

• Strict policies and in-depth training for all staff on data protection/GDPR.

• Robust quality assurance and data management processes

• Rigorous training and ongoing coaching around calling ‘best practice’ such as:
  • ​​Callers should state who they are and why they are calling at the start of a call.
  • If the prospect isn’t interested, their wishes must always be respected.
  • Listen and understand – don’t ‘hard’ sell. Callers should listen to the prospect and provide relevant information, tailored to their interests and pain points

This list might look extreme but all of the above should be standard for any organisation that relies on telemarketing for its bread and butter. Once you have completed your legitimate interests assessment, you can look to your agency to provide an additional layer of safeguards to ensure the work you they do on your behalf is fully compliant.

We should add here that we aren't legal experts and recommend that you speak to your own legal team for a full evaluation of what you need to do to comply with GDPR. However, we have gone through the process ourselves and can happily walk any client or prospective client through the list above and demonstrate the systems we have in place to support GDPR compliance. If you would like to know more, get in touch.

Useful References

• ICO Guide: Legitimate Interest - Lawful Basis for Processing
• DMA Guide: GDPR for marketers: Consent and Legitimate Interests
• Information Commissioner’s response to the Data (Use and Access) (DUA) Bill | ICO
• What's changing and what's the same in the UK's Data (Use and Access) Bill from a GDPR compliance perspective?