Working remotely has rapidly become the new normal, and more and more companies are adapting their approach forward, working.
It takes a lot of effort to collect, handle, process, and store data correctly. But any business must prioritize compliance and data security highly.
What are we going through in this blog post?Okay. First, we need to state that the “G” in GDPR stands for “general”, which means the same standards apply to all industries. Second of all, we need to inform you that this piece of content isn't a complete list of all you need to know about GDPR; neither does it constitute legal advice.
The regulations of the telemarketing industry may vary from country to country by local regulations. E.g., there are some specific rules in Germany that's above the GPDR regulations, which brings us to our first advice: Always keep track of local regulations and laws regarding the purpose you’re working on.
Remember that GPDR applies to everyone working in your organization – not just the data controllers.
It takes a lot of effort to collect, handle, process, and store data correctly. And for some businesses, the GPDR regulations can obstruct the possibilities to enrich and store data in their favor.
But from the consumer's point of view, the regulations give the consumer some basic rights, such as the right to be forgotten. Use this to your advantage and let compliance create a better relationship with your customers by making them feel safe. Aaaand, it's also a waste of time to contact people who don’t want to be contacted.
What kind of data is legal to collect and process? Well, it varies from one case to another – even within the same company. But there are some basic rules you need to follow.
The first step is to ensure that the subject has given consent to data processing unless the proceeding is necessary to perform legal obligations – but that is more an exception to the rule.
Next, you need to ensure that the data is necessary for your performance and that the data is specified, explicit, and collected for a legitimate purpose. And that the data is correct, of course.
Do yourself the favor of understanding the data you collect and assure you can answer why the data is relevant to you. If you have a clear purpose, it’s easier to identify irrelevant and incorrect data and erase it. It also helps you qualify your leads and prevent data overload.
It’s a good idea to have your legal advisor help you write down your purpose and give you some advice on what kind of data is necessary to run your business.
Before we detail how to handle GDPR, we need to define the subject of the law. In the GDPR context, a data subject is any identified or identifiable person residing in the EU whose personal data is processed. It includes both living or dead people and their dependents, ascendants, and descendants.
It doesn’t matter if your business is based in or outside the EU. GDPR impacts all businesses processing, handling, and storing data belonging to an EU citizen.
Within telemarketing, we talk about leads, subjects, customers, prospects, individuals, people, etc. The law doesn’t distinguish between cold or warm leads, potential or existing customers in this context. They're all the same. The same applies to B2B calling if the data is specific to a single person.
There’s no simple answer to that question because it all depends on your purpose.
Many telemarketing companies enrich their data with public sources or add sources or by adding comments after a conversation with a (potential) customer. There’s nothing wrong about merging different datasets or adding bonus information in one way or another. But it is important to keep in mind that it’s illegal to collect or enrich data with more information than necessary concerning your primary purpose. To put it another way: you need to have a good reason for collecting and processing the data, and the data needs to be relevant for the performance.
Especially when it comes to personal data. Personal data is defined as any information relating to an identified or identifiable natural person, ranging from a phone number to information about the person's mental state.
The law distinguishes between personally identifiable information, such as name and address, and sensitive personal information, such as religious beliefs, sexuality, health information, etc.
Be aware of which kind of information you add. There's a huge difference between adding personally identifiable information (article 6) and sensitive personal information (article 9).
Processing sensitive personal information is prohibited unless it can be carried out to the extent where some specific conditions apply. The rule of thumb is to avoid processing these kinds of data unless you fulfill one of the conditions described in article 9 of the GDPR. If you have a legal purpose for processing sensitive information, then use extra safeguards.
If you have any doubts, ask yourself: Is this data 'need to have' or 'nice to have'? If the data falls into the category 'nice to', then it’s time to do some housecleaning and minimalize the amount of data to what’s sufficient for your business.
Make a clear description of what kind of information your agents are legally allowed to collect, and make sure to monitor your agents’ activity and evaluate their effort.
It might seem like a minor detail, but it is vital that your data is correct and always up to date.
If the phone number is incorrect, you may call the wrong person (without permission to do so), or even worse, if the lead has changed the address, you can end up billing the wrong person.
In most cases, you need to have the person's consent before you start processing data.
There are a few exceptions to that rule, and local laws regulate some of them. But the main rule is to make sure you have consent before you start calling your leads.
The consent must be for a named organization, which practically means that trusted third parties, e.g., your data processors, also need to be named as part of the consent agreement.
Whether you buy your leads from second or third parties or collect them yourself, it's important to get the consent upfront. It's your responsibility as a data controller to ensure that the consent is given incorrectly.
Consent must be explicit. You need to be able to demonstrate that your subject had no doubt opting in. It also means that you cannot use pre-checked boxes or hide consent in the text – e.g., bundle with other terms and conditions when you collect the consent from a webpage. This is also known as “consent by default”.
The same rules apply when you need permission to record a conversation. We’ll get back to that topic.
No.
Consent is always specific. It means, if the consent is about selling shoes, you’re not allowed to use it to sell socks. If your business plans to expand your services, in this case, selling socks, it's worth considering making an opt-in that explicitly mentions contacting customers to sell clothing in general - and not just shoes.
If the opt-in is specific to a campaign, the consent will automatically expire when the campaign stops. All data must be tracked and removed for a further purpose once the date has passed (make sure to keep documentation two years after the consent expire). If the consent was given through a webpage, make sure to store the specific consent against each opt-in, as the text on the website may change over time.
The same rules apply if you buy a lead from a second or a third party – at any given time, you need to assure that the consent is given correctly.
What about existing customers? How to handle them?
Under some circumstances, you don't need to require prior consent if the subject's data is obtained as part of a product or service sale or if your purpose for calling relates to a similar service or product.
As easy as it is to opt-in, as easy should it be to opt-out. Make sure to inform the subject on how to withdraw their consent or cancel any agreement. It might be easier to get their opt-in when you inform your subjects upfront because it gives a sense of security to know that it's easy to cancel the permission or agreement. By the end of the day, you’ll get more satisfied customers, and even if they opt-out, they might return because they had a good customer experience.
If the consent is given over the phone, you must make it possible to withdraw again over the phone – you cannot demand them to send an e-mail! Remember that you risk getting frustrated customers (that probably won’t return or recommend your product) if it is a struggle to opt-out of an agreement.
Even though GPDR doesn’t refer specifically to B2B or B2C but identified or identifiable subjects, there’s a difference between calling B2C and B2B.
Contrary to B2C calling, you don’t need consent if you do cold B2B calling (answering the phone is consent in itself!). However, you need to have a legitimate purpose, which means that you need to consider your interest as a business and make sure that the prospect could be interested in your product or services. Also, make sure that it’s the right decision maker you’re calling.
Remember, when it comes to GPDR, the same rules apply when processing and storing personal information about a given prospect. Suppose you do intend to process or store personal data related to a specific individual in an organization in connection to the call. In that case, the prospect must consent – e.g., if you intend to record the conversation. You also need consent if you intend to send a follow-up email (e.g., with offers). Especially if you call one-man-businesses, you need to be aware that all data can easily be tracked down to a single individual.
Getting consent can be tricky because you must document you have consent, but it's possible to do some workarounds to have the cake and eat it too.
We’ll get back to the tricky part of obtaining consent to record a conversation in a bit. First, let's focus on getting consent to send an e-mail.
Unless you have recorded the conversation (and thus also the consent to send an e-mail), you can repeat what the prospect has consented to during the call in the e-mail follow-up.
Remember to include
1. your purpose,
2. the reason why you’re following up by e-mail,
3. what you have agreed on during the conversation, and
4. the possibility to opt-out if the prospect objects to any further contact.
Be transparent about your purpose at any given time, and don’t be too pushy. Long-term B2B relations with a genuine interest in your products and services is preferable to a quick fix sale.
Many call centers record conversations by default for educational purposes or “to improve customer service”, but these are not lawful reasons. You still need to get your consent upfront – and it must be explicit and clear before you tap the record button.
Ensure that all parties are informed that they will be recorded – both the subject and the agent. It’s a bit tricky, especially when you do the outbound calling. But it's possible.
Practically, you need to notify the person you intend to record and get consent off-the-record before you have permission to record the conversation. When you start the recording, ask the person to confirm that they consent to the recording.
A way of doing this is to make a recap on your agreement, e.g., by saying: “…As we agreed, I have started the recording now…” or “I need you to confirm that we agreed on recording this conversation…”
It’s a good idea to provide your agents with a comprehensive script with clear instructions on collecting the consent in the right manner to avoid any misunderstandings in the process.
It’s a lot easier to get consent if you do the inbound calling, and your dialer supports the opportunity to use an IVR message, notifying you that the conversation will be recorded.
Make sure that your agents are well trained and pay attention to this matter.
While focusing on getting consent from subjects, some call centers may forget that GDPR applies to their employees.
If a subject asks for access to all registered personal data, you’re not allowed to hand out recorded conversations to a subject unless your agent consents. At the same time, you are obliged to hand out any data registered on the subject, including recordings, which puts you in a bit of a dilemma.
What to do? Both options seem impossible. A workaround is to blur or mask the agent's part of the conversation, but then again, it’s a bit elaborate.
The best advice is to make your agents sign a “notice and consent” document acknowledging that their conversations may be monitored, recorded, and handed out by request from any subject.
No longer than necessary. As soon as necessity has expired, you need to erase the data.
And how long is necessary, you may ask? Well, if you have a good reason to keep the data, it's necessary.
“Nice to have” is not a reason – and always make sure that the data lives up to the compliance mentioned above. Ask yourself why it's important for your business to keep data and consider anonymizing any personal data that’s no longer necessary to keep. We’ll get back to that.
Consent expires when it has been inactive for a year. After a year, you need to renew it by activating the lead once again by sending an email, text, or making a phone call. This depends on what kind of permissions you have to contact the subject.
If you have any doubts about whether the subject has already opted out, don’t make the mistake of asking your existing customer to renew their consent under the excuse of GPDR – e.g., asking them by e-mail to reconfirm their preferences. This is, in definition, a marketing message, which strides against the GDPR legislation.
Note: A consent must be kept for documentation two years after it expires.
Numerous tech solutions can help you to identify expired and outdated data and automatically alert you when it’s time to take the required action to delete or reactivate your subject.
A customer has the right to access any of their registered data in a machine-readable format within a month from the request.
It’s a good idea to teach your agents how to handle such requests decently and define a standard procedure that makes it possible to fulfill any requests within the given time period. By storing your data correctly (and make sure that your data processors do so too), it's easier to track the requested data and adhere to deadlines.
As well as the customer has the right to access their registered data, they also have the right to be forgotten. Again, make sure you have a procedure and the right tools to easily track and remove customer data when needed.
What to do when a given consent has expired, and it's time to erase data, but you still want to keep data for analysis, statistics, or reporting?
It’s okay to keep data if you anonymize all data related to a single individual, but you need to make sure that it's impossible to track down the person.
Notice that anonymizing and pseudonymization are different from one another. When you pseudonymize, it’s still possible to track down the subject.
Remember to keep documentation when you have erased data.
Did you know? Adversus offers you a solution that will allow you to do so in a simple manner without losing important general data simply by anonymizing the data fields you choose.
Data security is not just an issue for your data controller but involves everyone in your organization.
Make everyone aware of the importance of handling data correctly. Ensure that all employees understand and follow your procedures – and that all your procedures always are up to date with the latest rules and laws.
Monitoring and evaluating processes can help you build good practice in handling the GPDR regulations in your call center. Whenever possible, try to include your employees in those processes to create a general awareness of the importance of compliance.
Not if, but when. It’s almost inevitable not to make mistakes. When it happens, make sure to log all incidents. Logging makes it easier to keep an overview of where to put in an extra effort to strengthen your procedures.
Always report data breaches to relevant authorities as soon as possible – and try to do it within 72 hours after the incident. If you report later than 72 hours after the breach, you need to argue why.
Make sure you have the right tools to detect and report data breaches.
If the breach affects the customer or subject negatively or has any consequences for people involved, make sure to notify them about the breach as soon as possible.
It’s always a good idea to set up clear workflows and use a script when calling – both when it comes to B2B and B2C sales. It makes it much easier for your agents to remember and fulfill your legal obligations and ensure documentation is completed properly. It also helps establish efficient processes and workflows that make it easier for subjects to opt in and out.
Compliance is always your responsibility as a data controller. And it's also your responsibility that external service providers, such as data processors, live up to the regulations concerning your data.
Define a general set of rules for all your third-party service providers and make sure they know your shared responsibility.
Your success in working with telemarketing relies heavily on the quality of your leads. When you buy lead lists from a second or third-party provider, you are, as a data controller, also responsible for the quality of the leads and need to make sure they live up to GPDR.
Less is more. Don’t underestimate the value of having great leads – it’s not a matter of quantity but a matter of quality if you want to improve your success rate and create efficient workflows. A small list of highly targeted leads may perform better than a large list of less qualified leads. Calling the wrong people is simply a waste of their and your time.
If you offer telemarketing services for other companies, you’re a processor. Make sure to have a contract listing responsibilities for each party and shared responsibility.
A third-party service provider is often a processor, while the call center is the data controller.
A call center can be both a data controller and data processor at the same time – if the call center is a third party, they are both controller and processor all in one.
It’s a common mistake that all data must be stored within the EU to live up to GPDR. However, when moving data from within the EU to outside of the EU, you need to follow the context of GDPR. It’s always a good idea to seek legal advice when it comes to moving and storing data.
This article has been brought to light in close cooporation with Kielberg Advokater. We owe them a huge thank you for great inputs and advice!
Neither Adversus nor Kielberg Advokater will take responsibility for disadvantages or losses that may arise from any interpretations of this piece of content. For further questions, please contact your lawyer or legal advisor.
Read more:
https://eur-lex.europa.eu/legal-content/DA/TXT/PDF/?uri=CELEX:32016R0679&from=DA
https://www.nathantrust.com/gdpr-fines-penalties
https://globaldatareview.com/article/1193583/italian-watchdog-issues-eur2-million-fine
.png){kind=small}
