When the GDPR (General Data Protection Regulation) took effect in May 2018, many organisations feared that non-compliance would result in huge fines that could put them out of business.
Among the organisations most concerned were those that conduct telemarketing. The GDPR threatened to prevent all unsolicited contact with customers, so they thought, making it far harder to advertise and sell.
Although the GDPR did introduce strict rules regulating telemarketing, it is still allowed provided that certain conditions are met.
Unfortunately, this is something that many organisations still struggle to understand. According to a study by IT Governance, there were 492 GDPR fines issued in 2021. Of those, 143 related to violations of Article 6 – which contains the rules for activities such as telemarketing.
In the UK, Virgin Media (£50,000), Home2sense (£200,000), We Buy Any Car (£200,000), EB Associates (£140,000) have all been fined for breaking the rules regarding unsolicited telemarketing.
So what did those organisations do wrong, and how can you avoid making the same mistakes?
How can you avoid fines?
The GDPR mandates that organisations have a valid reason to collect and process personal data. These are known as ‘lawful bases’ in the Regulation, and there are six to choose from.
For telemarketing, the two that are most likely to apply are consent and legitimate interest. Because the rules for obtaining and maintaining consent are so strict, organisations are advised to use it only when no other basis applies.
That leaves legitimate interest, which is the most flexible of the GDPR’s bases for processing. It can theoretically apply to any type of processing carried out for any reasonable purpose.
On the one hand, this gives you a lot of room for interpretation. On the other, it’s unhelpfully vague, and places the burden on organisations to determine whether their interests in processing the personal data are legitimate.
Fortunately, Recital 47 of the GDPR clarifies that “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”.
As such, telemarketing is acceptable provided that it won’t unduly burden customers.
However, it’s not just the GDPR that organisations must contend with. There is also the PECR (Privacy and Electronic Communications Regulations), a UK law that regulates electronic communications, including electronic direct marketing and tracking technologies such as cookies.
The Regulations use the same high standard for consent as the GDPR – but crucially, they require consent to be used much more frequently.
As such, many UK marketing organisations are required to use consent instead of or alongside legitimate interest, making compliance much tougher.
Telephone Preference Service
Lawful consent in the UK is complicated further by Regulation 21 of the PECR. It states that organisations that wish to perform telemarketing must screen their list of phone numbers against the TPS (Telephone Preference Service).
The TPS is a free service that enables individuals to register to a ‘do not call list’, exempting them from unsolicited sales and marketing calls.
Anyone who has registered has effectively refused consent, and organisations that contact them are violating their data privacy rights.
PECR and soft opt-in consent
There is one caveat to the PECR’s rules that makes it easier for organisations to obtain consent: the option of using ‘soft opt-in’ for existing customers.
The concept is comparable to legitimate interest under the GDPR, and is most likely to be used when an individual gives an organisation their details and doesn’t opt out of marketing messages.
This suggests that they are happy to receive marketing from you about similar products or services even if they haven’t specifically consented.
However, organisations must give customers a clear chance to opt out – both when they collect their details and in every message they send.
Additionally, Regulation 21 of the PECR states that organisations must keep a list of anyone who has opted out and cease contacting them.
Are your data processing practices GDPR compliant?
The introduction of the GDPR alongside the PECR has meant organisations need to tread a fine line when it comes to telemarketing.
Many are still unsure of what they should be doing, and some are paying the price. If you want to avoid making the same mistakes, our bespoke consultancy services can help.
Using the experience of our consultancy team we can work provide you with bespoke consultancy support which will be scoped and scheduled to ensure that your business is conducting marketing activities with current best practice and regulatory standards in mind. Support we have provided to previous customers has included:
- Implementation support with consent management tools
- Reviewing and providing recommendations to compliantly collect and process data
- Conducting legitimate interest assessments
- Providing guidance to optimise compliant consent statements
- Policy and other documentation
- Data strategy and guidance
As we’ve outlined in this blog, there are a number of considerations when it comes to compliant marketing practices. For those looking for more help, DQM GRC’s Bespoke Consultancy service is the ideal solution.
Our team of experts will design a programme of support around your requirements, and help you avoid fines and improve your marketing compliance.