GDPR regulations provide strict guidelines on the use of personal data including phone numbers. It goes without saying that this has an impact on any data-driven marketing channel, not least of which telemarketing.
Since the regulations have taken effect, we’ve had many discussions with both existing and prospective clients to give assurance of what they can and cannot do under GDPR. In particular, whether they can use personal data to cold call individuals without explicit consent to continue to promote their products and services. The simple answer is YES. The new legislation does allow businesses to cold call but ensures this is done in a responsible way, only where there is a ‘Legitimate interest’ to do so, and where the interests, rights and freedoms of the individual are protected.
Whilst legitimate interest is a flexible option for processing personal data, it is not a lazy, catch-all workaround. It is a solid legal basis under which reputable businesses can continue to market their products and services responsibly. There are some simple steps that need to be taken to weigh the balance between business interests and the rights of the individual, but using readily available resources, this need not be onerous.
Now the dust has settled and panic died down, let’s understand how legitimate interest applies as a legal basis for cold calling. We will then look at the simple steps you need to take when marketing under ‘Legitimate interest’, and some of the handy resources available to help you do so.
Article 6 - Lawful Processing
GDPR regulations set out six lawful bases under which a business can use personal data legally as part of their business activities. At least one of these must apply whenever you process personal data. Four of the six clauses cover very specific scenarios and it is fairly clear how and when these apply. Clauses a) and f) are the two that are most relevant in the discussion around direct marketing, so let’s dig into the detail a little more.
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
The word ‘clear’ is important here and the regulations expand on this to say consent must be ‘explicit’. That means it doesn’t just need to be clear to the individual that they have consented to receive marketing materials from you, they must understand what type of marketing they are signing up to and how they will be marketed to. If, for example, an individual has agreed for you to email them details of a new product, it does not mean you can phone them, even if the call relates to that same product. As ‘cold calling’ by definition means the individual is not expecting a call, it has no relationship at all to ‘consent’ based marketing.
The sixth clause in Article 6, ‘Legitimate interests’ states:
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
This clause relates also to Article 16 of the European Charter of Fundamental Rights, the ‘freedom to conduct a business’ which basically confirms the right to supply goods and services and generate profit, provided your business activities comply with the law.
Recital 47 of the GDPR clarifies further:
“The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”
So, under GDPR, organisations are entitled to process personal data to carry out their usual business activities and this can include direct marketing.
The second part of the legitimate interest clause then qualifies that those activities must not override ‘the interests or fundamental rights and freedoms of the data subject’. This is the key to using legitimate interest appropriately as a legal basis for direct marketing and cold calling. You must ensure that, whilst marketing your products and services, you are also protecting the rights of any individual you market to.
There are some basic steps that need to be taken to ensure you ‘balance’ your interests with the rights of the individual, and to demonstrate you are doing so on an ongoing basis.
A ‘Balancing Act’
Self-assessment is an important part of GDPR and ICO identifies three key elements of using the legitimate interests basis:
1) Identify a ‘Legitimate interest’
This simply means confirming what benefit you are trying to achieve for your business in processing the data. This might be a benefit for the company itself – processing your payroll for example, or a benefit to the wider society, such as creating employment.
2) Show that the processing is necessary to achieve this ‘Legitimate interest’
Here you need to explain how the processing will help you achieve your aim and why this is the best approach.
3) Protecting the rights of the data subject
In the context of cold calling, this means considering the rights of the individual not to have their privacy invaded by unsolicited calls. The GDPR regulations (and Ofcom’s guidance) require you to take care not to cause individuals distress through your use or misuse of their personal data, but also takes account of the level of potential distress and what an individual might reasonably expect.
So, when using legitimate interests as the basis for your cold calling campaign to promote your products and services, you must consider the level of distress your call might cause the recipient.
ICO breaks the process into a simple three-part test based on the three elements above:
The Purpose Test
The Necessity Test
The Balance Test
ICO also provides a handy ‘legitimate interests assessment’ (LIA) template, which walks you step by step through the process and allows you to document the provisions you have made in using legitimate Interest as your legal basis. Once complete, this document allows you to demonstrate that your business is acting responsibly and taking into consideration the impact of your processing activities. As your marketing campaign evolves, it is important that you continue to assess your use of legitmate interest and ensure that your reasoning remains valid.
Telemarketing Best Practice
Whilst GDPR regulations force you to formally evaluate and document the impact of your marketing efforts or cold calling campaign, much of this is really a case of good practice. Irrespective of GDPR, any responsible company would be averse to causing their prospects distress, and any reputable telemarketing agency would have processes in place to avoid a negative impact on the recipient of the call. These should include:
TPS/CTPS screening as standard
Easy access to call histories and number look-ups so callers know and can explain exactly where the data they are calling came from.
Easy opt-out and clear privacy policies that explain how you use the data you process. Under GDPR (Individual Rights) this should also provide mechanisms for individuals to easily exercise their ‘right to object’, their ‘right to be forgotten’, their ‘right to rectification’ and/ or submit a Data Subject Access Request.
Systems that manage the number of times any number is called.
Technologies that protect the individual’s data such as call obfuscation to ensure protection of sensitive payment details, encrypted call recordings, data transfer via secure FTP.
Strict policies and in-depth training for all staff on data protection/GDPR.
Robust quality assurance and data management processes
- Rigorous training and ongoing coaching around calling ‘best practice’ such as:
- Callers should state who they are and why they are calling at the start of a call.
- If the prospect isn’t interested, their wishes must always be respected.
- Listen and understand – don’t ‘hard’ sell. Callers should listen to the prospect and provide relevant information, tailored to their interests and pain points.
This list might look extreme but all of the above should be standard for any organisation that relies of telemarketing for its bread and butter. Once you have completed your legitimate interests assessment, you can look to your agency to provide an additional layer of safeguards to ensure the work they do on your behalf is fully compliant.
We should add here that we aren’t legal experts and would recommend speaking to your own legal team for a full evaluation of what you need to do to comply with GDPR. However, we have gone through the process ourselves and can happily walk any client or prospective client through the list above and demonstrate the systems we have in place to support GDPR compliance. If you would like to know more, get in touch.
ICO Guide: Legitimate Interest - Lawful Basis for Processing
DMA Guide: GDPR for marketers: Consent and Legitimate Interests