October 21st, 2020

How Are You GDPR Compliant When Working in Telemarketing?

How to be compliant? We have gathered some good advice on GDPR, compliance, data processing, and data storage for people working in outbound phone sales.
Communication consultant

Collecting, handling, processing, and storing data correctly requires significant effort, but compliance and data security must remain top priorities for any business in the outbound sales process. 

What are we going through in this blog post?

Okay. First, we need to state that the “G” in GDPR stands for “general”, which means the same standards apply to all industries. Second of all, we need to inform you that this piece of content isn't a complete list of everything you need to know about GDPR, nor does it constitute legal advice. 

The regulations governing the telemarketing industry and outbound B2B sales may vary from country to country. E.g., some specific rules in Germany are above the GDPR regulations, which brings us to our first advice: Always keep track of local regulations and laws regarding the purpose you’re working on.

Remember that GDPR applies to everyone in your organization – not just the data controllers.

Collecting, handling, processing, and storing data correctly requires significant effort. And for some businesses, the GDPR regulations can obstruct the possibilities to enrich and store data in their favor.

But from the consumer's point of view, the regulations grant basic rights, such as the right to be forgotten. Use this to your advantage and let compliance create a better relationship with your customers by making them feel safe.

Keep in mind, it's also a waste of time to contact people who don’t want to be contacted.

10 Good Advice notes icon-1

  • Always keep track of local regulations and laws regarding the purpose you’re working on
  • Always be transparent about how you collect, process, and store your data.
  • Make sure that the subject has given consent, also when recording conversations.
  • Make it easy for the subject to withdraw any permissions.
  • Only collect and store data for specified, explicit, and legitimate purposes.
  • Make sure your data is up to date (Read: ALWAYS!)
  • Keep track of any data leaks.
  • Make sure all employees are up to date with the newest procedures.
  • Make it easy to erase data.
  • Keep documentation, if necessary.

Overall Principles

What data can you legally collect and process? It varies depending on the specific case, even within the same company. However, there are some fundamental rules you should adhere to.

Firstly, ensure that you have obtained the subject's consent for data processing, unless legal obligations require it, though this is usually an exception.

Next, ensure the data is necessary for your operations, clearly specified, explicit, and collected for a legitimate purpose. Accuracy is also essential.

Understanding the data you collect is crucial. Know why it's relevant to your business. With a clear purpose, you can easily identify and remove irrelevant or incorrect data, thereby preventing data overload.

It's advisable to involve a legal advisor to make this process smoother. They can help you define your purpose and guide you on which data is essential for your business operations.

Who is Subject to GDPR?

Before we detail how to handle GDPR, we need to define the law's subject.

In the GDPR context, a data subject is any identified or identifiable person residing in the EU whose personal data is processed. It includes both living and dead people and their dependents, ascendants, and descendants.

Whether your business is based in or outside the EU doesn't matter. GDPR applies to all businesses that process, handle, or store data belonging to an EU citizen.

Group 40


In telemarketing, we talk about leads, prospects, customers, individuals, people, etc. The law doesn’t distinguish between cold or warm leads, or between potential and existing customers, in this context. They're all the same. The same applies to B2B calling if the data is specific to a single person.

How Much Can You Enrich Your Data?

That question has no simple answer because it depends on your purpose.

Many telemarketing companies enhance their data by combining various datasets or adding notes after conversations with prospects. It's perfectly acceptable to enrich data, but it's essential to remember that collecting or enriching data beyond what's necessary for your primary purpose is illegal. In other words, you must have a valid reason for collecting and processing the data, and it must be relevant to your performance.

This is especially crucial when dealing with personal data. Personal data includes any information related to an identified or identifiable individual, ranging from basic contact details to more sensitive information about their mental state.

The law distinguishes between personally identifiable information, like name and address, and sensitive personal information, such as religious beliefs, sexuality, health details, and so on.

As a business, handling personal data with utmost care and complying with legal requirements is vital.

Be aware of which kind of information you add. There's a huge difference between adding personally identifiable information (article 6) and sensitive personal information (article 9).

Processing sensitive personal information is prohibited unless it can be carried out in accordance with specific conditions. The rule of thumb is to avoid processing these kinds of data unless you fulfill one of the conditions described in article 9 of the GDPR. If you have a legal purpose for processing sensitive information, then use extra safeguards.

If you're unsure about certain data, ask yourself whether it's a 'need to have' or 'nice to have.' If it falls into the 'nice to have' category, it's time for some housecleaning and to minimize the data to only what is essential for your business.

Create a clear, precise description of the information your agents are legally permitted to collect, and ensure consistent monitoring of their activities as you evaluate their efforts. This proactive approach will help maintain compliance and data integrity in your telemarketing operations.

.

Keep Your Data Up To Date

It might seem like a minor detail, but it is vital that your data is correct and always up to date.

If the phone number is incorrect, you may call the wrong person (without permission to do so), or even worse, if the lead has changed the address, you can end up billing the wrong person.

Consent

In most cases, obtaining explicit consent from individuals is crucial before processing their data. While there are a few exceptions, local laws often govern them. The primary rule remains clear: ensure you have valid consent before calling your leads.

When seeking consent, it must be for a specific organization, including naming trusted third parties, such as data processors, if applicable, as part of the agreement. Whether you obtain leads from second- or third-party sources or collect them yourself, securing upfront consent is your responsibility as a data controller.

The consent must be explicit, leaving no room for doubt. Using pre-checked boxes or burying consent within the text (e.g., bundled with other terms and conditions on a webpage) is unacceptable,  also known as "consent by default."

Similar rules apply when seeking permission to record conversations, a topic we'll explore later. Ensuring compliance with consent requirements is essential to maintain ethical data practices in telemarketing.

Three-step checklist

  1. Who? Tell who you are
  2. Why? Explain why you are processing data
  3. How? Tell how long the data will be stored and who receives it

Can I Use the Same Consent for Different Purposes?

No.

Consent is always specific. 

In other words, if a customer grants consent for a particular purpose, such as selling shoes, you cannot use it to sell socks or any other unrelated services. When expanding your business to include new services, like selling socks, it's crucial to obtain explicit consent to contact customers to sell clothing in general, beyond just shoes.

Opt-ins specific to a campaign will automatically expire when the campaign concludes. Therefore, tracking and removing data for any further purposes after the designated date (and retaining documentation for at least two years after the consent expires) is essential. Storing specific consent details for each opt-in is vital for consent obtained through webpages, as the webpage content may change over time.

The same diligent rules apply whether you purchase leads from second- or third-party sources. You must always ensure that consent is accurately obtained and complies with the relevant regulations at all times.

Soft Opt-In – The Loopholes

What about existing customers? How to handle them?

Under some circumstances, you don't need prior consent if the subject's data is obtained as part of a product or service sale or if your purpose for calling relates to a similar service or product.

Opting Out

As easy as it is to opt in, so should it be to opt out.

Inform your subjects clearly about how they can withdraw their consent or cancel any agreements they've made. Providing upfront information about the ease of opting out can actually encourage more opt-ins, as it instills a sense of security, knowing they can cancel at any time. In the end, this approach leads to more satisfied customers. Even if they choose to opt out, they may return in the future because of the positive customer experience they had.

If consent is given over the phone, ensure the option to withdraw is also available. Don't require customers to email to opt out, as this may lead to frustration and dissatisfaction. Remember, making it hassle-free for customers to opt out helps avoid negative experiences and builds a better reputation for your product or service.

Checklist

  • The consent must be for a named organization – remember to name trusted third parties by name
  • The consent must be explicit and clear
  • The consent must be given separately from other terms and conditions
  • It must be as easy for the customer to opt out as it was to opt in
  • Remove all personal data as soon as the consent expires

The Difference Between Calling B2B and B2C

Even though GDPR doesn’t refer specifically to B2B or B2C but to identified or identifiable subjects, there’s a difference between calling B2C and B2B.

Unlike B2C calling, you don’t need consent for cold B2B calling (answering the phone is consent in itself!).

However, you need a legitimate purpose, which means considering your interest as a business and ensuring the prospect could be interested in your product or services. Also, make sure you're calling the right decision-maker.

Remember, when it comes to GDPR, the same rules apply when processing and storing personal information about a given prospect. Suppose you intend to process or store personal data related to a specific individual in an organization in connection with the call. In that case, the prospect must consent – e.g., if you intend to record the conversation. You also need consent if you intend to send a follow-up email (e.g., with offers). Especially when dealing with one-man businesses, you need to be aware that all data can easily be traced back to a single individual.

Getting consent can be tricky because you must document that you have consent. But it's possible to work around the problem to have the cake and eat it too.

We’ll get back to the tricky part of obtaining consent to record a conversation in a bit. First, let's focus on getting consent to send an email.

Unless you have recorded the conversation (and thus also the consent to send an e-mail), you can repeat what the prospect has consented to during the call in the e-mail follow-up.

Remember to include

1. Your purpose,
2. The reason why you’re following up by e-mail,
3. What you have agreed on during the conversation, and
4. The possibility to opt out if the prospect objects to any further contact.

Be transparent about your purpose at any given time, and don’t be too pushy. Long-term B2B relations with a genuine interest in your products and services are preferable to a quick-fix sale.

Consent When Recording Conversations

Many call centers record conversations by default for educational purposes or “to improve customer service”. But these are not lawful reasons. You still need to get your consent upfront – and it must be explicit and clear before you tap the record button.

Ensure all parties are informed that they will be recorded – both the subject and the agent. It’s a bit tricky, especially when you're doing outbound calling. But it's possible.

Practically, you need to notify the person you intend to record and get consent off the record before you have permission to record the conversation. When you start the recording, ask the person to confirm their consent.

One way to do this is to recap your agreement, e.g., by saying: “…As we agreed, I have started the recording now…” or “I need you to confirm that we agreed on recording this conversation…”

It’s a good idea to provide your agents with a comprehensive script that clearly outlines how to collect consent correctly, to avoid misunderstandings.

It’s much easier to get consent if you do the inbound calling, and your dialer supports an IVR message that notifies you the conversation will be recorded.

Ensure your agents are well-trained and pay attention to this matter.

It’s okay to record when:

  • You have clear and explicit consent from the person you are recording
  • The recording is crucial to comply with a contract

Remember to Get Consent From Your Agent

While focusing on getting consent from subjects, some call centers may forget that GDPR applies to their employees.

If a subject asks for access to all registered personal data, you’re not allowed to hand out recorded conversations to a subject unless your agent consents. At the same time, you are obliged to hand out any data registered on the subject, including recordings, which puts you in a bit of a dilemma.

What to do? Both options seem impossible. A workaround is to blur or mask the agent's part of the conversation, but then again, it’s a bit elaborate.

The best advice is to have your agents sign a “notice and consent” document acknowledging that their conversations may be monitored, recorded, and handed out upon request by any subject.

How Long Can I Keep The Data?

No longer than necessary. As soon as the necessity has expired, you need to erase the data.

And how long is necessary, you may ask? Well, if you have a good reason to keep the data, it's necessary.

“Nice to have” is not a reason, and always make sure the data meets the compliance requirements mentioned above. Ask yourself why it's important for your business to keep data and consider anonymizing any personal data that’s no longer necessary to keep. We’ll get back to that.

Consent expires after a year of inactivity. After a year, you need to renew it by reactivating the lead via email, text, or phone. This depends on the permissions you have to contact the subject.

If you have any doubts about whether the subject has already opted out, don’t make the mistake of asking your existing customer to renew their consent under the excuse of GDPR – e.g., asking them by e-mail to reconfirm their preferences. This is, by definition, a marketing message that goes against the GDPR legislation.

Note: A consent must be retained for documentation purposes for 2 years after it expires.

Numerous tech solutions can help you to identify expired and outdated data and automatically alert you when it’s time to take the required action to delete or reactivate your subject.

The Consumer's Right

A customer has the right to access any of their registered data in a machine-readable format within a month of the request.

It’s a good idea to teach your agents how to handle such requests effectively and define a standard procedure that allows you to fulfill any request within the given time period. By storing your data correctly (and ensuring your data processors do the same), it's easier to track the requested data and meet deadlines.

As well as the right to access their registered data, the customer also has the right to be forgotten. Again, ensure you have a procedure and the tools to easily track and remove customer data when needed.

How Can I Keep Useful Data?

What to do when a given consent has expired, and it's time to erase data, but you still want to keep data for analysis, statistics, or reporting?

It’s okay to keep data if you anonymize all data related to a single individual, but you must ensure it's impossible to track down the person.

Notice that anonymizing and pseudonymizing are distinct. When you pseudonymize, it’s still possible to track down the subject.

Remember to keep documentation when you erase data.

Data Is Everybody’s Concern

Data security is not just an issue for your data controller but involves everyone in your organization.

Make everyone aware of the importance of handling data correctly. Ensure that all employees understand and follow your procedures – and that all your procedures are always up to date with the latest rules and laws.

Monitoring and evaluating processes can help you establish best practices for handling GDPR regulations in your call center. Whenever possible, try to include your employees in those processes to create a general awareness of the importance of compliance.

When Things Go Wrong

Not if, but when.

It’s almost inevitable not to make mistakes. When it happens, make sure to log all incidents. Logging makes it easier to keep an overview of where to put in extra effort to strengthen your procedures.

In compliance with the law, it is essential to report within 72 hours of the incident. Failing to meet this deadline may require you to provide a legitimate reason for the delay.

Make sure you have the right tools to detect and report data breaches.

If the breach affects the customer or subject negatively or has consequences for the people involved, notify them as soon as possible.

Prevent Things From Going Wrong

It’s always a good idea to set up clear workflows and use a script when calling – both for B2B and B2C sales. It makes it much easier for your agents to remember and fulfill your legal obligations and ensure documentation is completed properly. It also helps establish efficient processes and workflows that make it easier for subjects to opt in and out.

Make Sure Your Provider Lives Up to GDPR

Compliance is always your responsibility as a data controller. And it's also your responsibility to ensure that external service providers, such as data processors, comply with the regulations governing your data.

Define general rules for all your third-party service providers and ensure they know your shared responsibility.

Your success in telemarketing depends heavily on the quality of your leads. When you buy lead lists from a second- or third-party provider, you, as a data controller, are also responsible for the quality of the leads and must ensure they comply with GDPR.

Checklist

  • Determine how your lead supplier gets its leads
  • Make sure that the leads have expressed an interest in buying your product
  • Make sure that the leads are authentic and validated
  • Make sure the leads have given their consent
  • Check if your supplier has a history of complaints regarding the quality of the leads.
  • Wash your leads before you start calling.

If you offer telemarketing services for other companies, you’re a processor. Make sure to include a contract that lists each party's responsibilities and shared responsibilities.

A third-party service provider is often a processor, while the call center is the data controller.

A call center can simultaneously be a data controller and data processor – if the call center is a third party, they are both controller and processor all in one.

  • A data controller is someone who has direct interaction with the customer.
  • A data processor is someone who processes the data on behalf of the data controller.

Storing Data

It’s a common mistake to assume that all data must be stored within the EU to comply with GDPR.

However, when transferring personal data from the EU to a country outside the EU, specific rules and safeguards must be followed to ensure compliance with GDPR.

GDPR allows data transfers to countries deemed by the European Commission to have an adequate level of data protection. For transfers to countries without an adequacy decision, organizations can use specific mechanisms, such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), to ensure the data is adequately protected during the transfer.

As data protection regulations can be complex and vary depending on specific circumstances, seeking legal advice is a good idea when handling data transfers and storage, especially for cross-border data flows. This ensures that organizations meet their legal obligations and protect individuals' personal data appropriately.

 


This article has been brought to light in close cooperation with Kielberg Advokater. We owe them a huge thank-you for their great input and advice!

Neither Adversus nor Kielberg Advokater will take responsibility for disadvantages or losses that may arise from any interpretations of this piece of content. For further questions, please contact your lawyer or legal advisor. 


Read more:

https://eur-lex.europa.eu/legal-content/DA/TXT/PDF/?uri=CELEX:32016R0679&from=DA

https://www.nathantrust.com/gdpr-fines-penalties

https://globaldatareview.com/article/1193583/italian-watchdog-issues-eur2-million-fine

 

 

Like posts
like this?

Subscribe to new blog posts from us!

Picking an auto dialer should be exciting. More often, it feels like buying a mattress online: fourteen tabs open, every option.

Most outbound sales teams don't have a people problem. They have a stack problem.

Too many tools that don't talk to each other..

Most sales teams don't fail at outbound because their reps aren't good enough. They fail because the system behind the reps isn't.

Ready to have more impactful conversations?

Be up and running in just a few minutes!