Blog

Can businesses still cold call under GDPR? YES THEY CAN!!

GDPR regulations provide strict guidelines on the use of personal data including phone numbers. It goes without saying that this has an impact on any data-driven marketing channel, not least of which telemarketing.

Since the regulations have taken effect, we’ve had many discussions with both existing and prospective clients to give assurance of what they can and cannot do under GDPR. In particular, whether they can use personal data to cold call individuals without explicit consent to continue to promote their products and services. The simple answer is YES. The new legislation does allow businesses to cold call but ensures this is done in a responsible way, only where there is a ‘Legitimate interest’ to do so, and where the interests, rights and freedoms of the individual are protected.

Whilst legitimate interest is a flexible option for processing personal data, it is not a lazy, catch-all workaround. It is a solid legal basis under which reputable businesses can continue to market their products and services responsibly. There are some simple steps that need to be taken to weigh the balance between business interests and the rights of the individual, but using readily available resources, this need not be onerous.

Now the dust has settled and panic died down, let’s understand how legitimate interest applies as a legal basis for cold calling. We will then look at the simple steps you need to take when marketing under ‘Legitimate interest’, and some of the handy resources available to help you do so.
 

Article 6 - Lawful Processing

GDPR regulations set out six lawful bases under which a business can use personal data legally as part of their business activities. At least one of these must apply whenever you process personal data. Four of the six clauses cover very specific scenarios and it is fairly clear how and when these apply. Clauses a) and f) are the two that are most relevant in the discussion around direct marketing, so let’s dig into the detail a little more.

Consent

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

The word ‘clear’ is important here and the regulations expand on this to say consent must be ‘explicit’. That means it doesn’t just need to be clear to the individual that they have consented to receive marketing materials from you, they must understand what type of marketing they are signing up to and how they will be marketed to. If, for example, an individual has agreed for you to email them details of a new product, it does not mean you can phone them, even if the call relates to that same product. As ‘cold calling’ by definition means the individual is not expecting a call, it has no relationship at all to ‘consent’ based marketing.

Legitimate Interests

The sixth clause in Article 6, ‘Legitimate interests’ states:

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

This clause relates also to Article 16 of the European Charter of Fundamental Rights, the ‘freedom to conduct a business’ which basically confirms the right to supply goods and services and generate profit, provided your business activities comply with the law.

Recital 47 of the GDPR clarifies further:

“The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”

So, under GDPR, organisations are entitled to process personal data to carry out their usual business activities and this can include direct marketing.

The second part of the legitimate interest clause then qualifies that those activities must not override ‘the interests or fundamental rights and freedoms of the data subject’. This is the key to using legitimate interest appropriately as a legal basis for direct marketing and cold calling. You must ensure that, whilst marketing your products and services, you are also protecting the rights of any individual you market to.

There are some basic steps that need to be taken to ensure you ‘balance’ your interests with the rights of the individual, and to demonstrate you are doing so on an ongoing basis.

A ‘Balancing Act’

Self-assessment is an important part of GDPR and ICO identifies three key elements of using the legitimate interests basis:

1) Identify a ‘Legitimate interest’
This simply means confirming what benefit you are trying to achieve for your business in processing the data. This might be a benefit for the company itself – processing your payroll for example, or a benefit to the wider society, such as creating employment.

2) Show that the processing is necessary to achieve this ‘Legitimate interest’
Here you need to explain how the processing will help you achieve your aim and why this is the best approach.

3) Protecting the rights of the data subject
In the context of cold calling, this means considering the rights of the individual not to have their privacy invaded by unsolicited calls. The GDPR regulations (and Ofcom’s guidance) require you to take care not to cause individuals distress through your use or misuse of their personal data, but also takes account of the level of potential distress and what an individual might reasonably expect.

So, when using legitimate interests as the basis for your cold calling campaign to promote your products and services, you must consider the level of distress your call might cause the recipient.

ICO breaks the process into a simple three-part test based on the three elements above:

  • The Purpose Test

  • The Necessity Test

  • The Balance Test

ICO also provides a handy ‘legitimate interests assessment’ (LIA) template, which walks you step by step through the process and allows you to document the provisions you have made in using legitimate Interest as your legal basis. Once complete, this document allows you to demonstrate that your business is acting responsibly and taking into consideration the impact of your processing activities. As your marketing campaign evolves, it is important that you continue to assess your use of legitmate interest and ensure that your reasoning remains valid.

Telemarketing Best Practice

Whilst GDPR regulations force you to formally evaluate and document the impact of your marketing efforts or cold calling campaign, much of this is really a case of good practice. Irrespective of GDPR, any responsible company would be averse to causing their prospects distress, and any reputable telemarketing agency would have processes in place to avoid a negative impact on the recipient of the call. These should include:

  • TPS/CTPS screening as standard

  • Easy access to call histories and number look-ups so callers know and can explain exactly where the data they are calling came from.

  • Easy opt-out and clear privacy policies that explain how you use the data you process. Under GDPR (Individual Rights) this should also provide mechanisms for individuals to easily exercise their ‘right to object’, their ‘right to be forgotten’, their ‘right to rectification’ and/ or submit a Data Subject Access Request.

  • Systems that manage the number of times any number is called.

  • Technologies that protect the individual’s data such as call obfuscation to ensure protection of sensitive payment details, encrypted call recordings, data transfer via secure FTP.

  • Strict policies and in-depth training for all staff on data protection/GDPR.

  • Robust quality assurance and data management processes

  • Rigorous training and ongoing coaching around calling ‘best practice’ such as:
    • ​​Callers should state who they are and why they are calling at the start of a call.
    • If the prospect isn’t interested, their wishes must always be respected.
    • Listen and understand – don’t ‘hard’ sell. Callers should listen to the prospect and provide relevant information, tailored to their interests and pain points.

This list might look extreme but all of the above should be standard for any organisation that relies of telemarketing for its bread and butter. Once you have completed your legitimate interests assessment, you can look to your agency to provide an additional layer of safeguards to ensure the work they do on your behalf is fully compliant.

We should add here that we aren’t legal experts and would recommend speaking to your own legal team for a full evaluation of what you need to do to comply with GDPR. However, we have gone through the process ourselves and can happily walk any client or prospective client through the list above and demonstrate the systems we have in place to support GDPR compliance. If you would like to know more, get in touch.

 

Useful References

ICO Guide: Legitimate Interest - Lawful Basis for Processing

DMA Guide: GDPR for marketers: Consent and Legitimate Interests
 

Related articles

Six strategies to drive sales growth in 2025

Six strategies to drive sales growth in 2025

Friday, November 29, 2024
Find out more
Personalised marketing - the power of the human touch in telemarketing

Personalised marketing - the power of the human touch in telemarketing

Wednesday, November 13, 2024
Find out more
Ethical telemarketing: a reality, not a myth

Ethical telemarketing: a reality, not a myth

Wednesday, October 9, 2024
Find out more
Maximising marketing ROI with telemarketing analytics

Maximising marketing ROI with telemarketing analytics

Wednesday, September 11, 2024
Find out more

Our full range of telephone services

Data Services

Flexible Data Services

Data Cleansing
Data Cleansing
Clean, up-to-date data delivers better quality leads and boosts sales
Read more
Data Enrichment
Data Enrichment
Data enrichment helps you better connect with your target audience and delivers actionable insights, improved conversion
Read more
Email Opt-ins: GDPR
Email Opt-ins: GDPR
Do you have a clean, compliant, opted-in database?
Read more

Pre Sales Research

Drive your sales strategy with telephone interviewing

Pre Sales Research
Pre Sales Research
Arm your sales and marketing teams with clear customer intelligence and actionable insight.
Read more

Telemarketing

Telemarketing that’s personal, agile, smart and insightful.

Lead Generation
Lead Generation
A steady stream of qualified buyers
Read more
Call Handling
Call Handling
We can provide your customers with an expert, personalised service - making every interaction count
Read more
Appointment Setting
Appointment Setting
Successful appointment setting requires meaningful human interaction with senior decision makers
Read more
Lead Management
Lead Management
Improve lead flow and quality - turn inbound leads into sales
Read more
Event Marketing
Event Marketing
Engage high value attendees and drive registrations
Read more
Lead Qualification / Nurture
Lead Qualification / Nurture
Move leads through the funnel more strategically with our expert lead qualification and lead nurturing services
Read more

Sales

High-performance Telesales

Telesales / Inside Sales
Telesales / Inside Sales
Flexible, high performance transactional telesales and complex inside sales services.
Read more
Account Based Marketing
Account Based Marketing
Increase profitability, reverse churn and increase customer lifetime value.
Read more

Post Sales Research

Strengthen customer relationships

Welcome Calls
Welcome Calls
A welcome call is an opportunity to reach out to new customers and reduce customer churn, as part of an effective customer management strategy.
Read more
Customer Satisfaction
Customer Satisfaction
Gain a more nuanced view of your customers’ experiences through phone-based surveys.
Read more
Treating Customers Fairly / Compliance
Treating Customers Fairly / Compliance
An FCA authorised and regulated business, our expert team can help you meet your TCF compliance needs.
Read more