5 things you should consider
GDPR will affect how telemarketing campaigns are undertaken, it is the new data protection law that comes into force on 25th May 2018. It will have an impact on all personal data processing. Personal data is any data which can identify a living person, including a name, email address, or mobile phone number.
Most organisations have lists of existing customers or prospects. These are the 'go to' resource for generating new business. GDPR doesn't prevent using this data, but is does make certain demands of the organisation before it can be legally used.
The principle of transparency requires that data subjects know you hold data about them and what you intend to do with it. They must also be told about their rights.
If you intend to use existing lists, you must communicate this information to data subjects before doing so, and in the case of direct marketing, no later than the first time you contact them. The list of things you must tell them is itemised in Article 13 of GDPR which we have covered in our blog titled Article 13 – Information to be provided to the data subject
Many people have jumped to the conclusion that consent will be required as a result of GDPR. This is not the case. Consent is only one legal basis for telemarketing, and it will often not be the best one.
For direct marketing including telemarketing, 'legitimate interest' will often be better. Indeed GDPR explicitly says direct marketing is a legitimate interest. This will often be the best legal basis for prospecting. If you are communicating with existing customers, or customers who have recently left, say within the last year, the legal basis of 'contract' may also be valid.
The key thing to know is that you must have a legal basis for doing your telemarketing, so you must choose one and the data subjects need to know what it is. The legal bases all have additional requirements which also need to be satisfied, such as a necessity test.
GDPR has changed the way data protection issues will be tested. The Regulation is clear the data controller is responsible for demonstrating they have complied with the law. This means the ICO, the UK regulator, does not need to show you have acted illegally, they only have issue fines. The burden of proof is now on you, you have to prove you are 'in no way responsible'.
This doesn't just apply to the ICO either. GDPR makes space for material and non-material damage claims by data subjects, and it also provides for class actions. All of which will be tried on the same basis; you need to show you are innocent!
Unless you have valid consent, you must screen all calls against the TPS list, and CTPS list if you are calling companies. This isn't exactly new, but is worth mentioning because of the shift in the burden of proof. A data subject only need feel upset by your call, and now you must prove you have done nothing wrong!
Fines for flouting the requirement to screen against TPS and CTPS have been few and far between, but data subjects can start actions themselves, or even class actions, and it will be impossible to prove you have behaved reasonably if they can show their number is listed on a suppression register.
If you cannot bring your existing data to a suitable place, you will need to delete it. Having done so you will possibly need to source more. You will need to pay much more attention to the data supplier. If they have not gained their data in a compliant way, then it cannot be compliant for you to use it.
GDPR makes it plain that you are also responsible for any issues, even if they are caused by a supplier, and you are only off the hook if you can show you are in no way responsible. Do your due diligence, and don't accept implausible explanations, always sanity check what they claim, you owe it to yourself, and the data subjects.