How do you work with personally identifiable data?
As a telemarketing agency, we work on our own behalf and on behalf of various clients, contacting existing and prospective B2B and B2C customers using the phone and other channels. As this involves the processing of personally identifiable data, it is vital that we comply with the GDPR, and are committed to the secure and compliant handling of all data held and processed by the company.
The Telemarketing Company is registered with the ICO – registration number Z5198027
What legal basis do you use for processing personally identifiable data under GDPR?
GDPR regulations set out six lawful bases under which a business can use personal data legally as part of their business activities. At least one of these must apply whenever you process personal data. The lawful basis we use for this processing is "Legitimate Interest" in accordance with recital 47 of the GDPR.
The ICO recommend that companies using this basis conduct a "Legitimate Interests Assessment" (LIA) and we have done this. The Telemarketing Company complies in full with the TPS/CTPS to prevent unwanted sales and marketing calls and maintains its own company “Do not Call list” in line with Ofcom regulations.
Is cold calling still possible under GDPR?
Yes, it is. GDPR legislation does allow businesses to cold call but ensures it is done in a responsible way, only where there is a ‘Legitimate interest’ to do so, and where the interests, rights and freedoms of the individual are protected.
Under GDPR, organisations are entitled to process personal data to carry out their usual business activities and this can include direct marketing. In the context of cold calling, this means considering the rights of the individual not to have their privacy invaded by unsolicited calls.
Read more on cold calling and legitimate interest
What processes do you apply to protect the rights of individuals?
As part of our best practice framework and GDPR compliance, we have processes in place to avoid any negative impact on call recipients including:
- TPS/CTPS screening as standard, in addition to our own ‘Do not call’ list.
- Mechanisms that allow individuals to easily exercise their “Individual Rights” under GDPR including their ‘right to object’, their ‘right to be forgotten’, their ‘right to rectification’ and/ or submit a Data Subject Access Request.
- Clear privacy, data protection and information security policies that explain how we use and protect the data we process.
- Robust quality assurance and data management processes.
- Technologies that protect the individual’s data such as call obfuscation to protect sensitive payment details, encrypted call recordings, data transfer via secure FTP.
- Systems that manage how many times a number is called.
- Strict policies and in-depth training for all staff on data protection and GDPR.
- Easy access to call histories and number look-ups so callers know and can explain exactly where the data they are calling came from.
- Rigorous training and ongoing coaching around calling ‘best practice’ such as:
- Callers should state who they are and why they are calling at the start of a call.
- If the prospect is not interested, their wishes must always be respected.
- Listen and understand – do not ‘hard’ sell. Callers should listen to the prospect and provide relevant information, tailored to their interests and pain points.
Where does the data come from?
The data we process is obtained from several sources. These include information requests via our website or other channels, our clients, GDPR compliant data providers and online resources in the public domain.
Find out more about data sourcing.
Where is data stored and processed?
All data is securely stored and processed within the EU. As Data processor, we undertake to keep all personal data confidential and secure when performing any processing activity.
We guarantee compliance with adequate technical and organisational security measures necessary to properly protect and secure the personal data collected, processed and used.
Who is data shared with?
Personally identifiable data is never shared with any third party other than the client we are working on behalf of. We never resell or share this data to any other party other than in the circumstances below:
- In the event that we sell any or all of our business to the buyer.
- Where we are legally required by law to disclose your personal information.
- To further fraud protection and reduce the risk of fraud.
How do you ensure data isn't corrupted, lost or stolen?
The Telemarketing Company holds the ISO 27001 Information Security Management accreditation. ISO 27001 certifies that a business has a systematic and ongoing approach to managing information security risks that affect the confidentiality, integrity, and availability of company and customer information.
This accreditation gives clients robust assurance that security controls are in place to protect their sensitive information and data from being accessed, corrupted, lost or stolen. It means we are fully compliant with the highest internationally recognised standards of information security and maintain best practice as part of an ongoing process of continuous investment, review and regular external audit.
For copies of our Data Protection, Information Security and related policies, please get in touch.