GDPR and Telesales – Is Cold Calling Still Permitted?

July 24, 2018

On May 25 this year, the General Data Protection Regulation (GDPR) came into force. After a two-year preparation period, it’s now official: organizations need to ensure that the way they store and process data complies with the new rules outlined by GDPR.

GDPR certainly affects most businesses, but there are a number of industries that are more affected than others when it comes to complying with the new legislation. And the telesales industry, which typically relies on cold calling, is not surprisingly one of them.

We already created a GDPR checklist and outlined how your call center can process call recordings in accordance with the new rules, so now it’s time to talk about how GDPR affects telesales, and most importantly cold calling.

And if you think that GDPR doesn’t apply to your telesales activities, think again and read on. In this article, we’ll show you what you need to do to ensure you can continue relying on cold calling as part of your telesales strategy in the post-GDPR world.

Read our practical contact center GDPR GUIDE for every detail you need! 

Cold calling after GDPR

As we all know, telesales is a service that sells products or services directly to customers via (often cold) phone calls. Of course, in order to be able to contact customers via phone, businesses need to store and process a huge volume of personal data. Now that GDPR came into force, how has the situation changed?

The good news is that cold calling is still permitted, however, the rules of the game have changed considerably. Although the new legislation does not address cold calling directly, having your customers’ personal data may be against GDPR principles.

Before we immerse ourselves in the topic, let’s quickly clarify what’s the definition of personal data under GDPR. As we already mentioned in our previous article, voice files are considered personal data as they can include personal information, such as the caller’s name, address or financial information.

Consequently, data telesales departments typically rely on, including names, home addresses, phone numbers and email addresses, are all considered personal data.

Six criteria outlined by GDPR

If you want to continue your telesales activities in accordance with GDPR, it’s time to take a look at the six criteria you will need to meet in order to be able to store and process your customers’ personal data. Under GDPR, your business needs to justify that the purpose for storing and processing customer data fulfills one of the criteria below:

  1. Customers gave you their consent to use their data
  2. You’re entering into a contract with a customer and you’re processing their data in order to fulfill the contract
  3. Processing of data is necessary for compliance with a legal obligation
  4. You’re processing data to protect someone’s vital interests
  5. You’re processing data to carry out a task in the public interest
  6. Processing is necessary for legitimate interest, except where such interest is overridden by the customer’s fundamental rights and freedoms

When it comes to cold calling, it’s quite unlikely that criterion 2 to 5 will apply to you. So, your best bet remains focusing on customer consent and legitimate interest.

GDPR and consent for cold calling

With GDPR now in force, gone are the days of hiding pre-checked boxes at the bottom of a webpage. In order to be able to contact a customer, businesses now need to have the customer’s clear and explicit consent.

As outlined by GDPR, when initiating cold calls, you’ll need to notify your customers that you’re storing and processing their data, and ask for their consent to be able to continue to do so afterward. Of course, it’s probably not recommended beginning a phone call with this information, but you’ll need to make sure they’re fine with you having their data, ideally within the first seconds of the call.

GDPR also specifies that customers who previously gave consent to have their data stored and processed can withdraw this consent at any time, and it’s your business’ responsibility to immediately delete the relevant data.

Furthermore, the actual consent itself always needs to be recorded and be available at any time. Call recording is a common call center practice and can be used to make customer consent easily available and transparent. However, bear in mind that GDPR also applies to call recording.

GDPR and legitimate interest – the savior of cold calling

Let’s be honest, obtaining your customers’ consent to contact them before you actually contact them is not an easy task.

And this is where the option of legitimate interest comes into play: the last criterion says that as long as you have a legitimate business interest in contacting customers, and it’s not overridden by your customers’ decision not to be contacted, you’re allowed to call them.

Luckily, selling a product or service is considered a legitimate business interest, making the last criterion in the legislation the savior of cold calling.

For instance, if you call a customer and offer – let’s say – a new service package to them over the phone, then, as long as you’re not misleading or deceiving them, your offer is considered a legitimate business interest.

But while this is, without doubt, a great loophole for telesales departments, it doesn’t mean that businesses can continue to call an endless number of potential customers.

With GDPR in force, telesales departments need to be able to justify that they are calling potential customers who are truly interested in their products or services, rather than just randomly dialing all available phone numbers in their database.

Balancing test

In order to ensure that your cold calling efforts are a legitimate business interest, you’ll need to do a so-called “balancing test”, in other words, a comparison of your business interest against those of the prospects you want to call.

In brief, products and services that are offered via cold calling in a genuine way, without misleading or deceiving customers, are considered a legitimate business interest. Simple as that.

However, in order to make sure that your cold calls based on legitimate business interest won’t harm your customers, you’ll need to put certain “safeguards” in place.

Amongst other things, you’ll always have to provide customers with the opportunity to easily opt-out of continued storing and processing of their data. GDPR also states that businesses can only store and process data that is absolutely necessary for providing their service to its full extent. For instance, if you don’t need to have a prospect’s date of birth, then you shouldn’t ask them for it. Furthermore, always make sure to raise awareness of data protection in your organization, and test your procedures systematically.

The more “safeguards” you implement in your organization, the more balanced your rights to do business will be against the prospect’s right not to be called.

As you can see, GDPR is not the death of cold calls. Just study our article, allocate enough time to prepare for the new rules (if you haven’t done so already), and you’re good to go!

Articles and entries on do not constitute legal advice. Should you have any legal questions, please contact your lawyer or legal advisor. VCC Live® will not take any responsibility or liability for any damages, disadvantages or losses that may arise from the results of any interpretation of the contents of the blog.

Get regular updates
from VCC Live

You'll get an email as soon as we publish
new insights or have updates worth checking out.

Leave your email for regular insights

By submitting your email, you agree for VCC Live to send you service related news and updates, as well as agree that VCC Live will use your data according to the Privacy Policy.

This field is for validation purposes and should be left unchanged.

Subscribe to get emails when we post something you might like

By submitting this form I agree to be contacted by VCC Live. Review Privacy Policy

This field is for validation purposes and should be left unchanged.