The General Data Protection Regulations (GDPR) will certainly affect the conduct of cold calling, but it will not stop organisations from using cold calling to contact customers. Cold calling requires an organisation to process personal data, therefore GDPR will change the process to ensure that personal data is processed lawfully and fairly.
Therefore, businesses which use cold calling as a tool for direct marketing, need to be aware of how to change their procedures to be GDPR compliant.
Direct Marketing and Cold Calls
Cold calls can be used as an outbound marketing strategy, as they allow an organisation the opportunity to directly contact a customer. This phone call can help initiate consumer interest into an organisation's product and aid lead generation.
Lead generation now needs to be GDPR compliant, therefore an organisation needs to document their materials used to create leads, such as contact forms.
Article 6 of the GDPR explains the lawfulness of processing, and how an organisation can use personal data. Therefore, organisations using cold calling must examine Article 6 to decide how they can use personal data.
A data subject needs to have given an organisation specific consent to use their personal data, such as consent to contact them via email to advertise a product. Subsequently, Article 6 (1) (f) allows an organisation to translate this consent through using legitimate interest, allowing them to then contact a data subject via telephone, but only if the interests are not overridden by the freedoms or rights of a data subject.
Recital 47 of the GDPR addresses legitimate interest, which can be used as a justification for the processing of personal data in direct marketing. However, legitimate interest requires a 'balancing test' to compare the interest of the organisation against the interest of the data subject. The balancing test is needed, if an organisation is going to rely on the legitimate interest clause to conduct cold calling. Documentation of this balancing test needs to occur, if an organisation wants to protect itself from a fine.
The balancing equation references the organisation's interest, in balance with the data subject's interest. For example, an organisation's interest is advertising a product to a customer via phone call. Whereas, a data subject's interest is the protection of their personal data and the upholding of their fundamental rights.
An organisation using cold calling needs to consider whether it will directly impact the data subject negatively.
The balancing test will demonstrate that an organisation has considered the data subject's fundamental rights, and in effect has complied with regulation. It will also improve the reputation of the organisation, as they will be known for their GDPR compliance and therefore data subjects will not feel harassed by receiving cold calls.
Cold emailing is another tool used for direct marketing, as it allows an organisation to directly communicate with a customer. Like with cold calling, cold emailing will be affected by GDPR, and an organisation will have to alter their procedure to become GDPR compliant.
You will need to have the consent of a data subject, which is freely given, specific, informed and unambiguous, in order to email them. This consent will need to be explicit, so that your organisation can prove that consent was achieved, if necessary.
There should be an explicit reason for sending an email to a recipient, one which is connected to them. If a cold email is sent out, for example having been given the go ahead internally under legitimate interest for example then there needs to be an option to withdraw from the email communication, via an "opt-out" mechanism.
If an organisation wants to remain GDPR compliant, then they need to be well trained with their marketing strategies, to ensure cold calling and cold emailing are conducted in the appropriate fashion.