There has been a considerable amount of discussion within the B2B sales community about whether cold calling is legally permissible under the General Data Protection Regulation (GDPR). This comprehensive guide will provide an in-depth look at how GDPR affects B2B cold calling, and how sales teams can ensure they're conducting their outreach in a GDPR-compliant way.
The General Data Protection Regulation (GDPR) is a set of guidelines designed to empower individuals to have more control over their personal data. This regulation is binding throughout the European Union (EU) and the European Economic Area (EEA). It seeks to set clear boundaries for organizations on how to appropriately use and process personal data.
Several nations have adopted their version of the GDPR, modifying some regulations while retaining the overall objective of preventing unsolicited communication or misuse of personal data. A notable example outside Europe is the California Consumer Privacy Act (CCPA) in the United States.
GDPR and Cold Calling
The GDPR grants individuals more control over their data, which includes understanding where the data originates, the option to withdraw consent, and the right to refuse to be contacted without prior consent. Non-compliance could result in penalties up to €20 million or 4% of global turnover, whichever is higher.
GDPR-Compliant Cold Calling: Key Considerations
Validity of Consent
Under GDPR, organizations can only use someone's personal data for sales and marketing activities if they can demonstrate they have the lawful right to do so. This right is often referred to as 'legitimate interest'.
A legitimate interest implies that the prospect is being contacted about a product or a service that is genuinely suitable for them. It's important to note that a prospect's desire not to be contacted can override the salesperson's legitimate interest.
The 'Do Not Call' List
GDPR compliance also involves ensuring that the prospect isn't on a 'Do Not Call' list. It's crucial to note that such lists are country-specific, meaning they must be checked on a nation-by-nation basis.
Cold Calling Practices
For sales professionals to follow GDPR guidelines, they have to adopt a customer-centric approach. They should always introduce themselves at the beginning of the call, explain why they are calling, and respect the prospect's decision if they do not wish to talk.
Best Practices for GDPR-Compliant Cold Calling
Screening Phone Numbers
Before making any calls, ensure that all the phone numbers you plan to dial have been checked against the relevant 'Do Not Call' lists. This step is crucial in ensuring the numbers are safe for cold calling.
Understanding Data Acquisition
Ensure you understand where every phone number in your CRM comes from. You must be able to prove that you obtained them legitimately.
Simplifying the Opt-Out Process
Make it easy for prospects to opt out of future contact, including deleting their data.
Ensure that your privacy policies inform your prospect of their rights under the GDPR.
Use of Technology
Leverage technology to manage your calls, including keeping track of your call history and the number of times you call a specific number.
Protecting Personal Data
Keep your prospects' personal data secure at all times.
Ensure that your salespeople are trained on data protection, GDPR, and conducting cold calls in a compliant way.
What should sales reps do on their cold calls to stay GDPR compliant?
Opting out and following the rules around legitimate interest aren't difficult.
Introduce yourself and explain why you're calling the prospect at the beginning of the conversation and there are two possibilities:
- Do not call a prospect again if they do not want to speak with you. Thank them politely and put the phone down if they do not wish to speak to you.
- Keep the hard sell to a minimum if you're allowed to continue.
Aiding GDPR Compliance: Role of B2B Data Providers
B2B data providers like SMARTe can play a significant role in ensuring GDPR compliance. They can help by conducting regular screenings of phone numbers against global Do Not Call lists, maintaining compliance certification, having in-house GDPR data regulation, and offering data subjects the chance to opt out of their database at any time.
Cold Call Strategy Development Under GDPR
Under GDPR, both cold calling and cold email outreach are considered unsolicited communications. This definition necessitates a customer-focused approach from sales teams. Marketers can aid sales teams in gaining permission through lead generation tools or insights on web forms.
When making calls to existing clients for upselling or promotions, it's safe to assume that they have given consent for contact and that there's a valid reason for your call.
Cold Calling to Leads or Potential Clients
GDPR's Article 6 outlines six legitimate reasons for organizations to use personal data. Sales teams should focus primarily on obtaining explicit consent and using data to pursue legitimate interests.
Explaining Legitimate Interest During Cold Calls
If a company's website displays contact information for its personnel, it implies that it's acceptable to contact them regarding sales-related matters. However, if someone questions the source of a phone number and expresses discomfort with being contacted, it may indicate that the intended recipient has not been reached.
Working with GDPR-Compliant Data
B2B data providers must go an extra mile to validate and sort out business and private numbers to provide their clients with GDPR-compliant data. To be compliant, the data controller and data processors need to have a notification process in place.
ePrivacy Directive and Sales Practices
The Privacy and Electronic Communications Directive (ePrivacy Directive) governs unsolicited communications for direct marketing purposes, such as consent (opt-in or opt-out) required for sending cold emails or making cold calls. The rules vary slightly between each country.
Legal Cold Calls and Emails in the UK
In the UK, you can make live calls without consent to a number if it is not listed on the TPS (UK’s Do Not Call register) AND if that person hasn’t objected to your calls in the past. Your calls must be fair, which means you must not make any calls that the person would not reasonably expect or which would cause them unjustified harm.
When it comes to emails, you can send them to any company, partnership, or government body at their corporate email address. If you are emailing employees who have personal corporate email addresses, you need to give them the right to opt out of marketing.
While GDPR has imposed certain restrictions on B2B cold calling, it hasn't banned the practice entirely. By understanding the rules and regulations and implementing the best practices outlined in this guide, sales teams can continue to leverage cold calling as an effective sales strategy while remaining GDPR-compliant.
How SMARTe maintains GDPR compliance
SMARTe provides SOC2, GDPR and CCPA-compliant data. We maintain compliance with the GDPR in the following ways:
- We send out notification to ensure that the contacts in our database are aware that we hold their data.
- All the mobile numbers in our database are cross-checked against global DNC lists.
- We have been SOC2 Type 2 compliant for the past two years.
Remove the compliance burden from your sales operation today - request a demo.