Information to help your business benefit from telecommunications

Cold Calling and GDPR, are They Compatible? Part Two


Last month’s blog looked at the future of cold calling in the light of GDPR. In essence our conclusion was that GDPR doesn’t sound the death knell for cold calling, but that it was going to be a far more complicated activity in the future than it ever has been before. We looked at the legislation supporting GDPR and identified that the hope of any cold calling enterprise lies within Article 6, which lists a number of criteria an organisation must meet to be able to use the data they have to cold call. To save you from diving into our blog archives we’ll list these here again. An organisation must either have:

  1. Explicit permission to use the data given for a specific purpose
  2. Contractual obligations that necessitate the use of that data
  3. The need to use the data to protect someone’s vital interests
  4. The need to use the data in the public interest
  5. The need to use the data as a legal obligation
  6. A “legitimate interest” in using the data and that this “legitimate interest” outweighs the “fundamental rights and freedoms” of the data owner.

It’s the 6thof these that holds hope, and our blog looked at how this might be the case. We recognised that Article 6 Part 1 (f) holds the key. It says:

“Processing is necessary for the purposes of legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

So, you, the cold caller, need to be able to justify the legitimate interests that you have in cold calling that outweigh the cold callee’s fundamental rights and freedoms. 

How do you do this? By demonstrating that your needs as a business are more important than those of the people you’ll be calling. Note that the operative word here is “more”. Equally isn’t good enough. The balance has to be tipped in your favour. 

Let’s first though see what a “legitimate interest” is. Recital 46 of the GDPR tells us that, “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”. This is drawn from Article 16 of the European Charter of Fundamental Rights which covers “the freedom to conduct a business”. So, what is your legitimate interest? What benefits will your business derive from using the personal date you have? Will it create profit and keep people employed? Will it enable you to manufacture high quality goods to everyone’s benefit? Or offer a service to the same end? If so, that’s legitimate.  It’s well worth spending time on this, not just for the sake of GDPR. When did you last review your organisation’s purpose, vision, values, strategies and tactics and articulate these in your business plan? You’re welcome!

How about the other side of this balance, “the interests or fundamental rights and freedoms of the data subject”? What are “the reasonable expectations of the data subjects”? Put bluntly GDPR (as opposed to Ofcom) would appear to view the public’s inconvenience at receiving an unwanted phone call as a minor matter, so long as “safeguards” are in place to minimise the potential risk of something untoward happening when personal data is being used. Some of these “safeguards” are mandatory, some not. They include:

  • Easy opt-outs
  • Strict limitations as to how much data is collected and how long its kept, based on purpose
  • Data Protection Impact Assessments
  • Regular staff training
  • Limited number of calls
  • Policies on vulnerable adults
  • And so on

You’ll appreciate that the more “safeguards” your organisation has in place, the more the balance tips in your favour.

Is that it? Sadly not, and remembering that the maximum fine for getting this wrong is a cool 20m Euro or 4% of worldwide turnover, whichever is the greater, it’s worth getting these further three steps right.

  1. On any occasion that your process changes, even a little, you have to be able to prove that you have completed a balancing test from a to z, and that the balance remains in your favour. What’s more, it’s recommended that you make the reasoning you’ve used to arrive at your balance available to data owners. Also that you are open about any profiling you’ve done to arrive at the use of their data.
  2. If an individual objects to the use of their data you have to stop using it and remove it immediately, and be able to prove you have.
  3. Individuals must be able to ask for and receive a copy of all their data that you hold. They can then ask you to update, change or delete it to any degree they require. 

How will all this work out? Time alone will tell. Once everything is in place and working it might well encourage the public to be more trusting and prepared to accept sales calls. Good luck!

comments powered by Disqus