We’ve been working closely together with a range of direct marketing- and call center associations to gain a better insight of GDPR and precisely how it will affect the call center and telemarketing industry.
In this blog post, we’ve gathered the top 8 questions we heard while discussing with our customers and partners.
Disclaimer, this post is based on our research, discussions, and workshops with GDPR experts and Direct Marketing Associations (DMA’s), it is not a legal document. We recommend consulting a lawyer or your local DMA for legal advice and interpretations.
The EU defines “personal data” as “any information relating to an identified or identifiable natural person.” That includes documents such as “a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
All companies that work within the European Economic Area (EEA) or with personal data relating to people within the EEA need to comply.
For LeadDesk customers that are located in the EEA or are contacting people within the EEA, you need to comply with GDPR.
That depends on what you do. There’s a bit of misconception of who needs a DPO. Originally the regulation stated that companies over a certain size required a DPO. Later the requirement was changed, requiring companies that are public authorities, whose core activities require large-scale, regular and systematic monitoring of individuals or whose core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offenses.
It seems like cold calling does not require explicit consent, as long as local regulation allows it. What you need to be able to do is show that there is a legitimate interest in the service or product that you’re offering (Article 6(1)(f)) and that your business relies on direct marketing (your freedom to conduct business) to operate.
You should, however, minimize the data you’re collecting, and you need to ensure that the people you are calling can opt-out of being contacted again.
We recommend contacting your local DMA if you’re unsure whether your use-case requires consent.
The most common way to ask for consent is by asking them to opt-in. Opt-in requires the user to give their consent actively. Don’t use pre-ticked boxes, opt-out boxes or other default settings.
There is no set time limit for consent since it depends on the context. You should, however, review and refresh consent as appropriate and make it easy for people to withdraw consent at any time.
It depends where you are getting your leads. You should make sure that any partners that you work with are compliant with GDPR regulations. Please contact LeadDesk if you want recommendations for local partners.
The way GDPR is designed, saving data longer than necessary is not advocated. The more data you have, the more the risks and penalties increase, that’s why we recommend minimizing data. For further information, we recommend consulting your local DMA’s.
Retiring old contact lists is done automatically in LeadDesk. When uploading a calling list, you choose when the list expires. Expired lists are then archived, after which admins can choose to either reuse or anonymize the list.
It depends on the nature of your call and the recording, as well as your industry. In other words, you should treat call recordings according to industry best practices as defined by your local DMA.
We’ve created an example document for our customers and partners to download. Please contact your local AM or firstname.lastname@example.org to get your copy.