Since GDPR came in to affect in May 2018, there has been a great deal of conjecture, speculation and debate about how the new regulations effect contacting clients and prospects. The rules are in place to protect personal information and to ensure that the data holders are treating that information with the respect it deserves.
So how does GDPR effect B2B telemarketing? To legally collect, store and use business data you need to be able to apply one of the following options:
- Consent
- Contractual necessity
- Compliance with legal obligations
- Vital interests
- Public interests
- Legitimate interests
Where prospect marketing is concerned, GDPR allows telemarketing to occur either if there is direct consent, or if it is believed that the prospect has a legitimate interest in the products or services that the business is marketing however, that doesn’t mean you have a free pass to do whatever you want.
You need to identify a legitimate interest for the data processing, show that the processing is necessary to achieve it and prove you have balanced this against the interests, rights and freedoms of the individual.
The legitimate interests can be your own interests or the interests of third parties, and can include commercial interests, individual interests or broader societal benefits.
If you decide to use legitimate interests as a lawful basis, then a Legitimate Interests Assessment (LIA) must be completed in all cases. A LIA is basically a risk assessment that ensures you’ve gone through a comprehensive decision-making process and have balanced your own interests against those of the individual.
Additionally, it is recommended that you apply the following protocols to keep you compliant as you move through the marketing and sales cycle:
- Your data must be cross checked with the CTPS register every 28 days
- Record op-tin for email marketing; record opt-out for calls. Date and time stamp. Record who you spoke to
- Do not collect, keep or store any personal details that are irrelevant to the sales and marketing process
- When you collect data which is relevant to your sales process, this must be protected effectively if being stored
- You must have a process to enable a contact to request a copy of all the personal information you hold about them
- If a contact requests to be removed from your database this should happen immediately and you should record that the action has been taken
GDPR does allow you to use 3rd party organisations, such as a telemarketing company, to process your data. As the data controller it is your responsibility to choose a partner who can demonstrate compliance and who has appropriate security measures to protect your data.
At the same time, your processor can assist you in ensuring compliance with your security obligations. For example, if you lack the resource or technical expertise to implement certain measures, engaging a processor that has these resources can assist you in making sure personal data is processed securely.
In short, you should of course adhere to the regulations, and ensure that you are fully compliant. However GDPR does not prevent you from undertaking telemarketing activities, either using your own internal team, or by partnering with an external resource.
