Posted by: Malcolm Jarvis CIPP/E
The GDPR greatly expands on existing data protection laws at the same time as introducing a raft of new legislation. As this covers many aspects of how businesses use data, call centres, as custodians of vast volumes of personal data, are going to be especially affected by these new laws.
One question that comes up regularly when I’m talking to folks in the call centre business is whether cold calling will still be permitted once the GDPR comes into force? The short answer, fortunately, is yes. The longer answer is yes, but in order to do so you’re likely going to need to learn about and start doing “balancing tests”.
This blog post explores why balancing tests are going to become an essential part of operating an outbound marketing campaign to anyone located in the EU (and the UK after Brexit), and the three steps involved in doing them successfully.
As before, a quick disclaimer before we start. I’m not a solicitor and I’m definitely not an expert on EU law. All suggestions and advice given here are drawn from my own research coupled with a career working in the call centre industry. You should either use this post as part of your own research, checking the content of the new regulations yourself in order to draw your own conclusions, or seek out qualified legal assistance to ensure plain sailing after the GDPR comes into force.
It’s also worth mentioning that another major piece of EU regulation heading our way is the revised “ePrivacy Directive”. This is the basis for the UK’s PECR regulations as jointly enforced by the ICO and Ofcom. Just to keep things interesting, this was planned to come into force at the same time as the GDPR but is now looking more like the end of the year or even later. For a heads up on what the new ePrivacy Regulation may mean for cold calling, there's a whole other post about it here.
The Legal Basis For Using Consumer Data For Cold Calling
In my last article on the changes coming with the GDPR, I discussed the new obligations the GDPR places on call centres regarding opt-in consent. These are, in fact, part of a broader set of regulations found in Article 6 of the GDPR, titled “Lawfulness of processing”. This is where we find the requirements an organisation must satisfy in order to use personal data within the business’ activities.
Before we take a look at the details, I’d best point out that where the GDPR uses the word “process” in relation to data, I’m going to use the word “use”. The reason I think “use” is the more helpful verb is that “process” suggests that these rules only apply when data is being processed by a computer system where the GDPR actually applies to any use of someone’s personal data either by automated means or as part of a filing system. This means that just storing data on your PC is covered by the GDPR, as is deleting it, altering it, adding to it, sharing it, or loading it into a dialler and calling it.
For example, adding a customer's phone number to your PC's calendar so you can call them back counts as processing personal data. Putting a CV in a filing cabinet counts as processing personal data. If you’re thinking that this sounds like the GDPR will impact nearly all aspects of every company’s activities, then you’d be right. As well as solicitors who are running to keep up with the nuances of the GDPR as they’re understood and clarified, there are many new businesses popping up to provide advice on compliance with the GDPR in every aspect of business life. Here we’ll focus on using data for the purposes of cold calling, but it’s worth noting that there are many more aspects of data usage within your business that you’ll need to consider.
One more quick clarification before we continue. The GDPR talks a lot about “personal data” and a company’s obligations to protect personal data in its care. Just in case you’re thinking that personal data is stuff like dates of birth, national insurance numbers, etc it’s much broader than that. It’s also not things like health records, political affiliations, criminal records and so on - those are special categories of data, which have a whole range of additional restrictions and obligations. Personal data (or personally identifiable information, to give it its proper name) is any information related to an identifiable person, including names, home addresses, e-mail addresses, phone numbers, and everything else that is typically considered “vanilla data” in call centre terms. That means that the GDPR has implications for pretty much all data that’s the bread and butter of an outbound call centre’s operation.
Anyway, back to Article 6, and the six reasons an organisation can legally use personal data as part of their business activities, for example to cold call potential new customers. These are listed in Part 1 of Article 6, and go roughly as follows (I'll paraphrase, but you can check the actual text for the full definitions):
- If someone’s given you their explicit consent for you to use their data then you’re free to use their data for that purpose
- If you’re entering into a contract with someone and you need to use their data in order to fulfil that contract, then it’s fine to use their data.
- If you’re legally obliged to use someone’s personal data, then you can (and probably should) do so.
- If the processing can be demonstrated to be necessary to protect someone’s vital interests, i.e. their health or wellbeing would otherwise be at stake, then it’s a good idea to use their data.
- If use of the data is necessary to carry out a task in the public interest then that’s fine too.
- If none of the above apply, but you can demonstrate your “legitimate interests” aren’t overridden by the individual’s “fundamental rights and freedoms” then you may be able to use his or her data.
So, the first of the reasons given is that the data subject (i.e. the individual whose data you are using), has given their consent for you to use their data. Note that consent is specific to a particular use of someone’s data. If the way that you want to use someone’s data is significantly different to the use that they have given their consent for, then the consent does not count.
For example, if someone has given you consent to contact them via e-mail, this doesn’t translate to them giving you consent to call them on their mobile phone. This doesn’t mean that you definitely can’t call them, it just means that you need to meet one of the other five criteria in order to do so.
The next four criteria, (b) to (e) are all relatively straight-forward and it should be obvious if they apply to your situation. As you may have noticed, in most cases it would be a pretty big stretch to categorise use of data for cold calling under any of these four categories. So this means that unless we have consent to use someone’s data to cold call them, we’re going to have to rely on point (f).
If you work for a public body, then you need to know that the last criteria, (f), does not apply and you’ll need to be able to rely on one of the first five criteria listed in order to legally use someone’s personal data. For the rest of us, this is about to become a bit more complicated.
Why Article 6(1)(f) of the GDPR Is The Salvation of Cold Calling
Assuming that your data lists include individuals that you don’t have explicit consent to call for the reason you wish to call them, and that none of criteria (b) to (e) above apply, how do you legally use someone’s personal data, such as their phone number, to place calls? The answer is the last criteria listed in part 1 of Article 6, which, in full, states:
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
What does that mean? Rather a lot as it turns out. Leaving aside the bit about the data subject being a child (if you’re looking to call through a list of children you’ll need to do more homework), this means that where the “legitimate interests” of your business aren’t overridden by the “interests or fundamental rights and freedoms” of the individuals you’re calling, you’re off to a good start. This comparison of your interests versus those of the individual’s you plan to call is referred to as the “balancing test”, and it seems that everyone in the cold calling industry is going to need to get familiar with them before 25th May.
Your Side of the See-Saw: Legitimate Interests
The “legitimate interests” clause seems to have been rather contentious for the authors of the GDPR, and a 57-page “opinion” from the Data Protection Working Party goes to some lengths to state that the inclusion of this criteria is not a back door, or a catch-all, or an easy option that allows businesses to use personal data without further thought or consideration. The GDPR includes built-in checks and balances to ensure that, if you’re relying on this basis to justify your use of personal data, that you’ve properly considered what your business’ legitimate interests are and how you might be impacting each individual concerned. What’s more, these checks and balances require documentation to prove that you’ve done them, otherwise there may be fines involved. Really big fines.
So what is a “legitimate interest”? Firstly, if we have a look at Recital 47 of the GDPR, we’ve got a good place to start:
“The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”.
This comes from one of the rights laid out in Article 16 of the European Charter of Fundamental Rights, the “freedom to conduct a business”. That’s right - despite all the red-tape, legislation, rules, taxes and reporting required, you actually have a right to run a business, even one that makes use of direct marketing strategies.
This means that the first part of the balancing test is to document what your legitimate interest is. An “interest” simply means the benefit that your business is seeking to achieve by using the personal data. Generating profit, creating employment, providing high-quality goods and services are all legitimate interests provided that they comply with the law, make no attempt to mislead or deceive customers, and generally are a benefit to society.
This could draw on your business plan, and, seeing as this needs to weigh up against the right to privacy and the freedom not to have to answer the phone to a cold-caller, you should probably put some time and effort into this. The good news is that you shouldn’t have to repeat this part of the exercise too often unless the nature of your business frequently changes.
However, this is just one side of what’s termed “the balancing equation”. On the other side are the slightly more complex “interests or fundamental rights and freedoms of the data subject”, which you’re legally bound to seriously consider. So what does that involve?
The Other Side of the See-Saw
A key consideration in the “interests or fundamental rights and freedoms of the data subject” is “the reasonable expectations of the data subjects”. As well as any direct impacts from the use of someone’s personal data, such as automatically declining a loan application without recourse (which will also no longer be allowed under the GDPR), you must also consider the potential emotional impact of your use of an individual’s data.
In this respect, the data protection guidelines of the GDPR cross over with Ofcom’s guidance on persistent misuse of an electronic communications network, as both require you to consider potential harm that your activities may cause and demand that you to take positive steps to minimise such harm. Ofcom’s focus is on preventing companies causing distress through misuse of people’s phones and other communication media, the GDPR’s focus is on preventing companies causing distress to individuals through misuse of their personal data.
To be fair, the GDPR recognises that there are degrees to which companies can infringe on people’s freedoms and rights. Someone experiencing negative emotions because you obtained their telephone number from a legal source and used it to call them for marketing purposes isn’t seen as being as serious as the negative emotions they might experience seeing their credit card details posted on your company website.
When it comes to cold calling for direct marketing purposes, the GDPR views the company’s interests in promoting their product as being of low importance (in the grand scheme of the smooth running of the EU), but it also sees the customer’s minor inconvenience at receiving an unwanted phone call as being similarly trivial. Provided that the call is conducted professionally and all the rules are followed, the balance of needs and rights is fairly equal.
So the balancing equation informs us that, from the point of view of the GDPR, a company’s desire to inform potential customers about its products and services is seen as being around as significant as Joe Public’s desire not to have their phone ring while they’re watching reruns of Cash In The Attic. However, the purpose of the balancing equation is to demonstrate that your needs are more important than those of the individuals you’ll be calling, not equally important. So what can you do to tip the balance decisively in your favour?
Safeguards: Tipping The Balance
In cases where the two sides of the balancing equation are roughly equal, the GDPR states that “safeguards” must be provided to help minimise the risk of bad things happening when using someone’s personal data. Some safeguards are mandatory, and some are optional. For example:
- Individual’s must have the ability to easily opt-out of further use of their data. This includes ensuring registration with the TPS means no unsolicited cold calls are placed to these numbers (no change there, but bear in mind that third party opt-ins will no longer be valid).
- Strict, documented limitations on how much data is collected and how long it’s kept for (data minimisation). For example, if you don’t have any need to ask for someone’s date of birth, then why ask? If you don’t need order details on your dialler database after the order has been completed, why not delete them? If you have good answers to these questions that justify obtaining and retaining the data, then that’s fine, you just need to demonstrate you’ve given the matter serious consideration.
- Conducting regular Data Protection Impact Assessments within your call centre (more on these in a future blog post).
- Regular staff training covering how to handle requests for information about your company and the data that it holds on customers, or requests to make corrections to or delete wrong information.
- The use of privacy enhancing technologies, such as encrypted telephone calls, loading customer data lists via secure FTP, and encryption of call recordings and customer data on disk all show that you’re taking protection of consumer data seriously.
- Limiting the number of calls placed to individuals within a given timeframe to reduce the level of inconvenience to them. Negative impacts are seen as being cumulative, so lots of trivial inconveniences will be seen as significant if repeated frequently over time.
- Strict policies and staff training on identifying vulnerable adults, such as those suffering from dementia, and how to professionally end the call without causing distress.
- Making information available to staff so they can respond to the question “where did you get my data?” accurately. This is also a new requirement making organisations fully accountable to individuals regarding their data and where they obtained it from.
The more of these safeguards that a company puts in place, the more a close balance tips in favour of the use of the individual’s data being acceptable.
Demonstrating The Balance
Now we’ve carefully considered our own need to use a list of customer data for cold calling purposes, and analysed the level of inconvenience or concern this may cause to the individual’s being called, and we’ve carefully thought of and implemented as many safeguards as we can reasonably think of, we’re ready to go right? Well, not quite.
There are three further steps you need to take and, as the maximum fine for not carrying out these steps is a mere €20 million or 4% of worldwide turnover (whichever is greater), there’s a big incentive to get these right:
- You need to be able to prove that you carried out the above balancing test any time your use of personal data changes. This is essential, as without consistent documentation proving that your business has been systematically carrying out these balancing tests, you can’t rely on the “legitimate interests” reason for using personal data.
This means that when you launch a new campaign, when you change the forms that agents are filling in during calls, when you change the reports you produce or the way that you load or export customer data, you need to have evidence that the balancing test was done. Ultimately this record may be inspected by the ICO or even (worst case scenario) in court, so it can’t be something that’s given only minimal attention. If you can get your team into the habit of carrying out and documenting this test as a matter of course, then you’ll have little to worry about should there be a complaint that leads to an investigation by the ICO.
To make this process more interesting, it is recommended (although not mandatory) that you make the reasoning behind your balancing test available to the data subjects themselves, i.e. you need to openly inform the individuals you’re calling why you’ve assessed your desire to call them as being more important than their potential desire not to be called. This could be part of your objection handling script or placed on your company website. It’s also recommended that you openly inform people of any profiling carried out using their data and why you did the profiling, in order to demonstrate that you’re not targeting vulnerable individuals with unsuitable services, for example.
- Individuals must be able to exercise their right to object to your use of their data, and, unless there are overriding reasons that you need to use the data regardless of their objection (very unlikely in the case of direct marketing), then you must stop using their data at once. Likewise, individuals expressing a desire to opt-out after having opted-in, or expressing their desire not to have their data processed for the purposes of direct marketing, such as by registering with the TPS, must have their wishes respected.
- Lastly, individuals must have the ability to request an electronic copy of all the data that you hold regarding them (you have a month to comply and cannot charge for the first request), and the ability to request that data be corrected, have notes appended to it, or to be irrevocably deleted. The right to erasure (sometimes referred to as “the right to be forgotten”) doesn’t necessarily involve all the data you hold on a subject. They may well request that you delete every bit of information you hold on them with the exception of agreeing that you can keep their phone numbers on your suppression list.
The last two requirements come from the rights of individuals regarding their data, and we’ll look into these rights further in our next blog post as well as some recommendations for how you can make sure you fully comply with them.
Chances are, in a few years time, we’ll look back on the days before May 2018 as a mixture of a Golden Age of direct marketing and also something of a Wild West. The processes that the GDPR requires businesses to implement are largely such a large shock to the system because until now, there have been few data protection processes that companies needed to follow.
The balancing test is there to demonstrate that your business is acting responsibly and giving proper consideration to the use of other people’s information. While it’s an additional administrative burden that we could all do with less of, in the long run it’s likely to boost public confidence in the industry and ultimately ensure that when people receive a cold call from your business they’re happy that you’re taking proper care of their personal data. If that means they’re also happy to listen to your agent and consider your products or services, then that’s got to be a good thing for everyone.