GDPR doesn’t have to shut down your cold calling marketing approach. However, there are things you need to know before you continue to ensure GDPR compliance. In this article, you’ll find out:

  • How GDPR could affect cold calling
  • When it’s ok to contact people without prior permission
  • How this differs between B2B and B2C
  • What we do here at tye to ensure compliance

Cold emails, of course, are another story. Sending mass spam email is less time-consuming for spammers than making phone calls, and therefore more prolific, so there are more rules you need to be aware of. You can read more information on sending bulk emails without spamming here.

Cold calling and GDPR

Cold calling, the action of reaching out to a contact that wasn’t expecting to hear from you, is a key lead generation strategy for many marketing and sales teams. However, when ensuring GDPR compliance, you may need to adjust your tactics in order to stay above board (and avoid those scary fines). 

What’s GDPR?

GDPR (General Data Protection Regulation) is a set of data privacy and security laws enforced in Europe in 2018. These new regulations were put in place to ensure people and companies were managing data collection in a way that protected the consumer, and if these rules were broken, non-compliance could result in penalties.

The ICO states that the GDPR provides the following fundamental rights for EU citizens:

  • The right to be informed

  • The right of access

  • The right to rectification

  • The right to erasure

  • The right to restrict processing

  • The right to data portability

  • The right to object

  • Rights in relation to automated decision-making and profiling.

Even if you aren’t based in Europe, but process personal data that is, these rules still apply to you.

In general, you can assume that processing personal data is illegal unless you have clear permission to use it. So, if you have collected opt-in, or have a clear verbal or written agreement that you can use a person’s data for sales or marketing purposes, you need not worry about the GDPR for these data subjects. 

Otherwise, you need to be sure that you comply. There are exceptions to the GDPR that allow us to use data appropriately to perform general business behavior, like finding new potential customers. We’ll go into exactly what the exceptions are in this post.

Is cold calling allowed under GDPR?

Yes, but…

Of course, there are circumstances where it would be compliant, and others where it wouldn’t. 

GDPR law states there are six legal bases for the processing of personal data: 

  • consent

  • performance of a contract

  • legitimate interest

  • vital interest

  • legal requirement

  • public interest

Here are some examples:

Calling a company vs an individual

Data that describes a company is not protected by the GDPR, like a company phone number, as it doesn’t give you any personal data. If you have a generic business number, and it isn’t made clear that there is a specific person behind it, it’s not GDPR relevant and you can call it without concern.

If you have data that you know belongs to a specific person, such as a personal number, or a business number with an extension you need to ensure you comply in other areas as stated above, such as consent (they’ve given you permission) or legal requirement (e.g. you’re changing terms of their contract).

There is ‘legitimate interest’

Also known as Recital 47, legitimate interest is a term used in GDPR law that states that you can get in touch with a business contact, providing you can justify that there is a legitimate interest from both parties. 

There are no concrete rules around what counts as legitimate, and it differs based on the individual circumstance. You must assess the situation, and make a judgement call based on common sense, and your understanding of the GDPR.

To do this, weigh up your interest in using the contact data vs the contact’s interest in you not using the information. 

For example, you could argue that you have a legitimate business interest to communicate with a contact if: their phone number is available on the website, and they have a relevant role like sales or marketing, and you have something you’d like to sell them that you believe is of interest to them.

Another way to defend legitimate interest is if someone has signed up to hear other types of communication from you, such as signing up to your email list. You can claim that this person is interested in hearing from you via email, therefore they would not be unhappy to receive a phone call.

You know when to stop

Your legitimate interest stops when you find out you cannot contact them for any reason. It might have been made clear on the website where you found their contact information that the number is not to be used for direct marketing purposes. Or, they might tell you that they are no longer interested and you lose justifiable legitimate interest.

As you must find a ‘justifiable’ reason to get in touch, you also need to maintain this reasoning. So, in any situation where it feels reasonable to stop contacting a person, you must do so.

Informing your cold call prospects of your CRM data under GDPR

When you’re first in touch with a new contact, it’s important they’re made aware that you plan to add them to your CRM database (or Customer Relationship Management tool). While ideally, this is done soon after you are in contact with them, there’s no need to let it get in the way of your interaction. It’s also difficult to capture during a phone call as it’s difficult to capture and store the proof of consent. 

When to do this

Scenario A: you get the contact data directly from the person, for example, if you call a general business number and reach a relevant contact. You should inform them during the call that you want to add them to your database so you can stay in touch. Send a follow up email, and ask them to confirm that they give you permission to do so.

Scenario B: the data is collected from a 3rd party, for example, if you find a relevant contact’s phone number on their company website. If you don’t plan to communicate with them at that moment, you have to inform them the first time you speak to them, which must be within a month. 

Get your email list management systems right - get our ultimate bundle of checklists, workflows and swipe files

  • Email deliverability checklist
  • Lead management workflow
  • Email cleaning checklist to make the most of your list
  • A welcome email swipe file to engage your list from the start
  • And more!

How to personalize your sales data strategy for GDPR compliant cold calling

How can you ensure your sales process is GDPR compliant?

Ask yourself these questions about your phone number database when prospecting:

  • What kind of phone numbers do you have? Are they private or personal?
  • How did you acquire them? Were they bought, borrowed, or stolen?
  • Have they stated the number is not to be used for telemarketing reasons?
  • Have they made it clear they aren’t interested or are the wrong person to contact?

If you answered yes to any of those, you may want to reconsider calling them and check again that you either have opt-in, explicit consent, or a legitimate interest.

If you can be sure that your contacts are clear to call under GDPR, then you can continue with your marketing or sales process with your data.

Tip: Check your telephone data against the TPS (the TPS is the Telephone Preference Service). It’s a central register of individuals in the UK who have opted out of receiving marketing calls.

B2B vs B2C data under GDPR

There is a difference between the kind of data you can collect and use depending on whether the reasons for holding this data is B2B or B2C motivated. You need to know how to find a balance between collecting relevant information and being too intrusive in order to be GDPR savvy. The key to this is understanding what is relevant to know, based on who they are to you.

For example, if you’re collecting B2B sales leads, knowing what breed of dog a customer owns isn’t relevant and shouldn’t be collected in your CRM. However, if you’re collecting the lead for a pet food company for a B2C campaign, you can justify the reason to collect it. The most important thing is collecting your data in a legitimate way, e.g. it was handed over with permission from the contact, or it’s public information.

Remember in B2B that if the data is irrelevant to your business goals, you should not keep that information. It’s reasonable to keep data on their interests for their business, such as what software they use, but not personal information, e.g. where they go on vacation.

Our process at tye for cold calling under GDPR

We use cold calling as a strategy here at tye for reaching out to potential customers who may find our services useful. It’s important for us to stay compliant (as well as follow best practices for marketing communication globally). Here’s what our current cold calling process looks like:

  1. We collect contact information from websites or other legitimate third-parties.

We look at their company websites to see if they’d be a good fit to work with us, and may want to use our services.

  1. We identify which person would be the most relevant person to reach out to.

We typically identify relevant contacts that we want to reach out to by looking at their website’s contact or staff page, taking care to ensure there is a mutual legitimate interest.

  1. We reach out to the contact by phone.

We call up to a maximum number of 5 times to try and reach the person. If we call 5 times and get no response, we remove them from the database to ensure we don’t pester them.

  1. When we do reach someone, we make note of this.

It’s important to keep track of your conversations with people, so you know who has been responsive and what your next steps are.

  1. We add any additional contacts to our CRM.

If we are made aware of other contacts that could be relevant along the way, we make note of these as possible contacts to follow up with, for example, colleagues of the person we have reached out to.

My biggest tip? Document everything as it happens. When talking about GDPR, I always think about the ‘worst-case scenario’ and how I can justify all of our actions, and prove that we were acting appropriately. To do this, you must keep some form of proof that you’ve got permission to contact someone and continue to contact them. It’s much harder to collect proof of a verbal agreement than and email, of course. You can store call recordings, just remember to ask permission first...

If you’re still unsure, it’s recommended to get legal advice or more information from GDPR experts on cold calling or cold emailing so that you can be sure you are compliant with your marketing campaigns.

We created the ultimate email list management bundle for busy marketing leaders who want to make the most of their data

Casper Schulenburg

Casper Schulenburg - September 22, 2020

As the Chief Legal Officer and a tye co-founder, Casper has a fascination for processes & privacy. Licensed Data Protection Officer who was the DPO for a €4B energy provider. Casper spent most of his youth in Iran and Austria. He studied Law and Economics in Bayreuth, Heidelberg and Mannheim. His biggest interests are history, politics and the development of societies. His ultimate goal is to achieve data sovereignty of individuals.