Adversus Blog: For call centers

How Are You GDPR Compliant When Working in Telemarketing?

Written by Line Jensen | Oct 21, 2020 6:37:31 AM

Collecting, handling, processing, and storing data correctly requires significant effort, but compliance and data security must remain top priorities for any business.  

What are we going through in this blog post?

Okay. First, we need to state that the “G” in GDPR stands for “general”, which means the same standards apply to all industries. Second of all, we need to inform you that this piece of content isn't a complete list of all you need to know about GDPR; neither does it constitute legal advice. 

The regulations of the telemarketing industry may vary from country to country by local regulations. E.g., some specific rules in Germany are above the GPDR regulations, which brings us to our first advice: Always keep track of local regulations and laws regarding the purpose you’re working on.

Remember that GPDR applies to everyone in your organization – not just the data controllers.

Collecting, handling, processing, and storing data correctly takes a lot of effort. And for some businesses, the GPDR regulations can obstruct the possibilities to enrich and store data in their favor.

But from the consumer's point of view, the regulations give the consumer some basic rights, such as the right to be forgotten. Use this to your advantage and let compliance create a better relationship with your customers by making them feel safe.

Keep in mind, it's also a waste of time to contact people who don’t want to be contacted.

10 Good Advice 

  • Always keep track of local regulations and laws regarding the purpose you’re working on
  • Always be transparent about collecting, processing, and storing your data.
  • Make sure that the subject has given consent - also when recording conversations.
  • Make it easy for the subject to withdraw permissions of any kind.
  • Only collect and store data for specified, explicit, and legitimate purposes.
  • Make sure your data is up to date (Read: ALWAYS!)
  • Keep track of any data leaks.
  • Make sure all employees are up to date with the newest procedures.
  • Make it easy to erase data.
  • Keep documentation, if necessary.

Overall Principles

What data can you legally collect and process? It varies depending on the specific case, even within the same company. However, there are some fundamental rules you should adhere to.

Firstly, ensure that you have obtained the subject's consent for data processing unless legal obligations justify the process – though this is usually an exception.

Next, ensure the data is necessary for your operations, clearly specified, explicit, and collected for a legitimate purpose. Accuracy is also essential.

Understanding the data you collect is crucial. Know why it's relevant to your business. With a clear purpose, you can easily identify and remove irrelevant or incorrect data, thereby preventing data overload.

It's advisable to involve a legal advisor to make this process smoother. They can help you define your purpose and offer guidance on what data is essential for your business operations.

Who is Subject to GDPR?

Before we detail how to handle GDPR, we need to define the subject of the law.

In the GDPR context, a data subject is any identified or identifiable person residing in the EU whose personal data is processed. It includes both living or dead people and their dependents, ascendants, and descendants.

Whether your business is based in or outside the EU doesn't matter. GDPR impacts all businesses processing, handling, and storing data belonging to an EU citizen.


Within telemarketing, we talk about leads, subjects, customers, prospects, individuals, people, etc. The law doesn’t distinguish between cold or warm leads, potential or existing customers in this context. They're all the same. The same applies to B2B calling if the data is specific to a single person.

How Much Can You Enrich Your Data?

That question has no simple answer because it depends on your purpose.

Many telemarketing companies enhance their data by combining various datasets or adding notes after conversations with prospects. It's perfectly acceptable to enrich data, but it's essential to remember that collecting or enriching data beyond what's necessary for your primary purpose is illegal. In other words, you must have a valid reason for collecting and processing the data, and it must be relevant to your performance.

This is especially crucial when dealing with personal data. Personal data includes any information related to an identified or identifiable individual, ranging from basic contact details to more sensitive information about their mental state.

The law distinguishes between personally identifiable information, like name and address, and sensitive personal information, such as religious beliefs, sexuality, health details, and so on.

As a business, handling personal data with utmost care and complying with legal requirements is vital.

Be aware of which kind of information you add. There's a huge difference between adding personally identifiable information (article 6) and sensitive personal information (article 9).

Processing sensitive personal information is prohibited unless it can be carried out to the extent where some specific conditions apply. The rule of thumb is to avoid processing these kinds of data unless you fulfill one of the conditions described in article 9 of the GDPR. If you have a legal purpose for processing sensitive information, then use extra safeguards.

If you're unsure about certain data, ask yourself whether it's a 'need to have' or 'nice to have.' If it falls into the 'nice to have' category, it's time for some housecleaning and to minimize the data to only what is essential for your business.

Create a clear and precise description of the information your agents are legally permitted to collect, and ensure consistent monitoring of their activities while evaluating their efforts. This proactive approach will help maintain compliance and data integrity in your telemarketing operations.

.

Keep Your Data Up To Date

It might seem like a minor detail, but it is vital that your data is correct and always up to date.

If the phone number is incorrect, you may call the wrong person (without permission to do so), or even worse, if the lead has changed the address, you can end up billing the wrong person.

Consent

In most cases, obtaining explicit consent from individuals is crucial before you can process their data. While there are a few exceptions, local laws often govern them. The primary rule remains clear: ensure you have valid consent before making calls to your leads.

When seeking consent, it must be for a specific organization, which includes naming trusted third parties, like data processors, if applicable, as part of the agreement. Whether you obtain leads from second or third parties or collect them yourself, securing upfront consent is your responsibility as a data controller.

The consent must be explicit, leaving no room for doubt. Using pre-checked boxes or burying consent within the text (e.g., bundled with other terms and conditions on a webpage) is unacceptable, also known as "consent by default."

Similar rules apply when seeking permission to record conversations, a topic we'll explore later. Ensuring compliance with consent requirements is essential to maintain ethical data practices in telemarketing.

Three-step checklist

  1. Who? Tell who you are
  2. Why? Explain why you are processing data
  3. How? Tell how long the data will be stored and who receives it

Can I Use the Same Consent for Different Purposes?

No.

Consent is always specific. 

In other words; if a customer grants consent for a particular purpose, such as selling shoes, you cannot utilize it for selling socks or any other unrelated services. When expanding your business to include new services, like selling socks, it's crucial to obtain fresh consent explicitly mentioning contacting customers for selling clothing in general, beyond just shoes.

Opt-ins that are specific to certain campaigns will automatically expire once the campaign concludes. Therefore, tracking and removing data for any further purposes after the designated date (and retaining documentation for at least two years after the consent expires) is essential. Storing specific consent details for each opt-in is vital for consent obtained through webpages, as the webpage content may change over time.

The same diligent rules apply whether you purchase leads from second or third parties. You must always ensure that consent is accurately obtained and complies with regulations at any given moment.

Soft Opt-In – The Loopholes

What about existing customers? How to handle them?

Under some circumstances, you don't need prior consent if the subject's data is obtained as part of a product or service sale or if your purpose for calling relates to a similar service or product.

Opting Out

As easy as it is to opt in, as easy should it be to opt out.

Inform your subjects clearly about how they can withdraw their consent or cancel any agreements they've made. Providing upfront information on the ease of opting out can actually encourage more opt-ins, as it instills a sense of security in knowing that they have the freedom to cancel at any time. In the end, this approach leads to more satisfied customers. Even if they choose to opt-out, they may return in the future because of the positive customer experience they had.

If consent is given over the phone, ensure that the option to withdraw is also available over the phone. Don't demand customers to send an email to opt out, as this may lead to frustration and dissatisfaction. Remember, making it hassle-free for customers to opt out helps avoid negative experiences and builds a better reputation for your product or service.

Checklist

  • The consent must be for a named organization – remember to name trusted third parties by name
  • The consent must be explicit and clear
  • The consent must be given separately from other terms and conditions
  • It must be as easy for the customer to opt-out as it was to opt-in
  • Remove all personal data as soon as the consent expires

The Difference Between Calling B2B and B2C

Even though GPDR doesn’t refer specifically to B2B or B2C but to identified or identifiable subjects, there’s a difference between calling B2C and B2B.

Contrary to B2C calling, you don’t need consent if you do cold B2B calling (answering the phone is consent in itself!).

However, you need to have a legitimate purpose, which means that you need to consider your interest as a business and ensure that the prospect could be interested in your product or services. Also, make sure it’s the right decision-maker you’re calling.

Remember, when it comes to GPDR, the same rules apply when processing and storing personal information about a given prospect. Suppose you intend to process or store personal data related to a specific individual in an organization in connection to the call. In that case, the prospect must consent – e.g., if you intend to record the conversation. You also need consent if you intend to send a follow-up email (e.g., with offers). Especially if you call one-man-businesses, you need to be aware that all data can easily be tracked down to a single individual.

Getting consent can be tricky because you must document you have consent. ut it's possible to do some workarounds to have the cake and eat it too.

We’ll get back to the tricky part of obtaining consent to record a conversation in a bit. First, let's focus on getting consent to send an e-mail.

Unless you have recorded the conversation (and thus also the consent to send an e-mail), you can repeat what the prospect has consented to during the call in the e-mail follow-up.

Remember to include

1. your purpose,
2. the reason why you’re following up by e-mail,
3. what you have agreed on during the conversation, and
4. the possibility to opt-out if the prospect objects to any further contact.

Be transparent about your purpose at any given time, and don’t be too pushy. Long-term B2B relations with a genuine interest in your products and services is preferable to a quick fix sale.

Consent When Recording Conversations

Many call centers record conversations by default for educational purposes or “to improve customer service”. But these are not lawful reasons. You still need to get your consent upfront – and it must be explicit and clear before you tap the record button.

Ensure all parties are informed that they will be recorded – both the subject and the agent. It’s a bit tricky, especially when you do the outbound calling. But it's possible.

Practically, you need to notify the person you intend to record and get consent off the record before you have permission to record the conversation. When you start the recording, ask the person to confirm that they consent to the recording.

One way to do this is to recap your agreement, e.g., by saying: “…As we agreed, I have started the recording now…” or “I need you to confirm that we agreed on recording this conversation…”

It’s a good idea to provide your agents with a comprehensive script with clear instructions on correctly collecting consent to avoid any misunderstandings.

It’s much easier to get consent if you do the inbound calling and your dialer supports the opportunity to use an IVR message, notifying you that the conversation will be recorded.

Ensure your agents are well-trained and pay attention to this matter.

It’s okay to record when:

  • You have clear and explicit consent from the person you are recording
  • The recording is crucial to comply with a contract

Remember to Get Consent From Your Agent

While focusing on getting consent from subjects, some call centers may forget that GDPR applies to their employees.

If a subject asks for access to all registered personal data, you’re not allowed to hand out recorded conversations to a subject unless your agent consents. At the same time, you are obliged to hand out any data registered on the subject, including recordings, which puts you in a bit of a dilemma.

What to do? Both options seem impossible. A workaround is to blur or mask the agent's part of the conversation, but then again, it’s a bit elaborate.

The best advice is to make your agents sign a “notice and consent” document acknowledging that their conversations may be monitored, recorded, and handed out by request from any subject.

How Long Can I Keep The Data?

No longer than necessary. As soon as necessity has expired, you need to erase the data.

And how long is necessary, you may ask? Well, if you have a good reason to keep the data, it's necessary.

“Nice to have” is not a reason – and always make sure that the data lives up to the compliance mentioned above. Ask yourself why it's important for your business to keep data and consider anonymizing any personal data that’s no longer necessary to keep. We’ll get back to that.

Consent expires when it has been inactive for a year. After a year, you need to renew it by activating the lead once again by sending an email, text, or making a phone call. This depends on what kind of permissions you have to contact the subject.

If you have any doubts about whether the subject has already opted out, don’t make the mistake of asking your existing customer to renew their consent under the excuse of GPDR – e.g., asking them by e-mail to reconfirm their preferences. This is, in definition, a marketing message, which strides against the GDPR legislation.

Note: A consent must be kept for documentation two years after it expires.

Numerous tech solutions can help you to identify expired and outdated data and automatically alert you when it’s time to take the required action to delete or reactivate your subject.

The Consumer's Right

A customer has the right to access any of their registered data in a machine-readable format within a month from the request.

It’s a good idea to teach your agents how to handle such requests decently and define a standard procedure that makes it possible to fulfill any requests within the given time period. By storing your data correctly (and make sure that your data processors do so too), it's easier to track the requested data and adhere to deadlines.

As well as the customer has the right to access their registered data, they also have the right to be forgotten. Again, ensure you have a procedure and the tools to easily track and remove customer data when needed.

How Can I Keep Useful Data?

What to do when a given consent has expired, and it's time to erase data, but you still want to keep data for analysis, statistics, or reporting?

It’s okay to keep data if you anonymize all data related to a single individual, but you must ensure it's impossible to track down the person.

Notice that anonymizing and pseudonymization are different from one another. When you pseudonymize, it’s still possible to track down the subject.

Remember to keep documentation when you have erased data.

Data Is Everybody’s Concern

Data security is not just an issue for your data controller but involves everyone in your organization.

Make everyone aware of the importance of handling data correctly. Ensure that all employees understand and follow your procedures – and that all your procedures always are up to date with the latest rules and laws.

Monitoring and evaluating processes can help you build good practice in handling the GPDR regulations in your call center. Whenever possible, try to include your employees in those processes to create a general awareness of the importance of compliance.

When Things Go Wrong

Not if, but when.

It’s almost inevitable not to make mistakes. When it happens, make sure to log all incidents. Logging makes it easier to keep an overview of where to put in extra effort to strengthen your procedures.

In compliance with the law, it is essential to strive for reporting within 72 hours of the incident. Failing to meet this deadline may require you to provide a legitimate reason for the delay.

Make sure you have the right tools to detect and report data breaches.

If the breach affects the customer or subject negatively or has any consequences for the people involved, notify them about the breach as soon as possible.

Prevent Things From Going Wrong

It’s always a good idea to set up clear workflows and use a script when calling – both when it comes to B2B and B2C sales. It makes it much easier for your agents to remember and fulfill your legal obligations and ensure documentation is completed properly. It also helps establish efficient processes and workflows that make it easier for subjects to opt in and out.

Make Sure Your Provider Lives Up to GDPR

Compliance is always your responsibility as a data controller. And it's also your responsibility that external service providers, such as data processors, live up to the regulations concerning your data.

Define general rules for all your third-party service providers and ensure they know your shared responsibility.

Your success in working with telemarketing relies heavily on the quality of your leads. When you buy lead lists from a second or third-party provider, you are, as a data controller, also responsible for the quality of the leads and must make sure they live up to GPDR.

Checklist

  • Determine how your lead supplier gets its leads
  • Make sure that the leads have expressed an interest in buying your product
  • Make sure that the leads are authentic and validated
  • Make sure the leads have given their consent
  • Check if your supplier has a history of complaints regarding the quality of the leads.
  • Wash your leads before you start calling.

If you offer telemarketing services for other companies, you’re a processor. Make sure to have a contract listing responsibilities for each party and shared responsibility.

A third-party service provider is often a processor, while the call center is the data controller.

A call center can simultaneously be a data controller and data processor – if the call center is a third party, they are both controller and processor all in one.

  • A data controller is someone who has direct interaction with the customer.
  • A data processor is someone who processes the data on behalf of the data controller.

Storing Data

It’s a common mistake that all data must be stored within the EU to live up to GPDR.

However, when transferring personal data from the EU to a country outside the EU, specific rules and safeguards must be followed to ensure compliance with GDPR.

GDPR allows data transfers to countries that are deemed to have an adequate level of data protection by the European Commission. For transfers to countries without an adequacy decision, organizations can use specific mechanisms, such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), to ensure the data is adequately protected during the transfer.

As data protection regulations can be complex and vary based on specific circumstances, seeking legal advice is indeed a good idea when handling data transfers and storage, especially involving cross-border data flows. This ensures that organizations meet their legal obligations and protect individuals' personal data appropriately.

 

This article has been brought to light in close cooperation with Kielberg Advokater. We owe them a huge thank you for great input and advice!

Neither Adversus nor Kielberg Advokater will take responsibility for disadvantages or losses that may arise from any interpretations of this piece of content. For further questions, please contact your lawyer or legal advisor. 

Read more:

https://eur-lex.europa.eu/legal-content/DA/TXT/PDF/?uri=CELEX:32016R0679&from=DA

https://www.nathantrust.com/gdpr-fines-penalties

https://globaldatareview.com/article/1193583/italian-watchdog-issues-eur2-million-fine