Telesales and GDPR

GDPR should be a regular topic of conversation in any organisation which holds or processes personal data. The General Data Protection Regulation is a European Union regulation governing data privacy and applies if, either the organisation that holds or processes the data, or the individuals that data pertain to, are based in the European Union or the European Economic Area.

Implemented in May 2018, the GDPR replaces, and seeks to simplify, the Data Protection Directive. The overarching goal is to, not only enhance individuals’ control over their personal information, but to simplify the regulatory frameworks for businesses. It is an important part of EU privacy and human rights laws which govern the storage, processing and transfer of personal data. As such, the consequences of non-compliance are potentially severe and can range from reprimands to bans on data processing and, in some cases, very large fines (up to €20 million or 4% of annual turnover).

All companies actively selling and marketing products and services will be holding and processing personal data. The cornerstone of any successful campaign is access to up-to-date information about current customers and prospects. Cold calling, the act of proactively contacting new prospects via the telephone, remains a highly effective method of winning new business. According to Cognism, 57% of C-level executives say they prefer to hear from sales reps over the phone compared to any other B2B channel, and a whopping 82% of buyers admit to having agreed to meetings initiated by cold calls.

The foundation of effective business-to-business (B2B) cold calling is contact data and companies that employ telesales as part of their sales and marketing activity can hold records for many thousands of contacts. So how does GDPR impact these companies?

GDPR sets out seven key principles which companies holding personal data need to be aware of and comply with. These are:

• • Lawfulness, fairness and transparency: The storage and processing of data must have a legal basis and must be fair and not detrimental to the individual whose data are concerned. Organisations holding data must be able to provide individuals with information about the processing of their data which is concise, easily accessible and easy to understand.
• • Purpose limitation: Personal data must be used for specific, explicit and legitimate purposes which are defined at the time that the data are collected. Data must not be further processed in a manner which is incompatible with those purposes.
• • Data minimisation: Organisations should hold the minimum amount of data they require for their intended operations and should never collect or hold unnecessary data.
• • Accuracy: Data held must be accurate and kept up to date. Where necessary, any inaccurate data should be corrected or erased and organisations should have clear processes to correct any inaccuracies.
• • Storage limitation: Data should only be stored while it is needed and no longer. Once an organisation’s purpose for holding the data has expired, the data should be erased.
• • Integrity and confidentiality: Any organisation storing personal data is obliged to put in place technological and organisational measures to ensure that the data are stored secure and cannot be accessed or manipulated by anyone without the appropriate authority.
• • Accountability: Organisations which store and process personal data are required not only to comply with the key principles of GDPR but also be able to demonstrate and evidence that compliance.

Considering how to operate successfully within the rules set by GDPR is vitally important for companies based in, or selling into businesses within the EU or EEA. GDPR is a daily reality for these business and all their selling processes, practices and infrastructure need to be built upon a solid understanding of the GDPR framework and its requirements.

Prospect data is fundamental to cold calling and GDPR can seem like an endlessly confusing multi-headed legislative monster! Companies collecting and storing personal data must comply with GDPR. For example, they need to have consent, or be able to demonstrate that they have a legitimate interest in doing so. For sales, this essentially means that companies without prior consent, should be able to demonstrate that they only hold data for prospects and individuals that could reasonably be expected to have a potential interest in the products or services that they sell. 

For example, if you are running a company that sells laboratory instruments for environmental testing, it would be a reasonable expectation that you would only hold prospect data for business that either operate environmental testing labs or might be expected to in the near future.

There is a general misunderstanding of GDPR which leads some people to believe that they need to give consent for their data to be stored. This is not the case. Prior consent need not be given by a business or individual for an organisation to store and process their data provided that the organisation can demonstrate legitimate interest, Contractual necessity or legal obligation. It is important to note however, that while individuals and businesses don’t need to agree to opt-in to having their data stored it is a requirement that they are given a clear and easy to follow opt-out route. The ‘right to be forgotten’ is enshrined in GDPR. The organisation also need to respect the privacy of the individuals and businesses whose data they hold. If, for example, a prospect requests that all future contact happens via email then contacting them by phone is no longer an option. Privacy options also come into play where data-sharing is a practice. If an organisation wishes to share a prospect’s data, with a business partner for example, then the reasons for that data sharing should be explained to the prospect and their consent should be sought.

In the world of B2B cold calling, embedding appropriate procedures and ensuring that sales teams diligently adhere to them is key to achieving and maintaining compliance. Clear and easy opt-out options during cold calls should be provided as standard. Stating up front “this is a sales call” and offering the prospect the option to hang up can be, not only  good way of driving engagement from a prospect who feels like they are being informed and respected rather than hoodwinked, it also enables them to easily opt-out if they so choose. In addition to this, the purpose and outcome of each call should be documented. Many companies use customer relationship management (CRM) software and call recordings to achieve this but a well set out spreadsheet can achieve the same aim provided it is securely saved in line with GDPR’s principles of integrity and confidentiality. Of course, keeping detailed records is pointless unless those records are regularly audited to ensure that calls are GDPR compliant and corrective action is taken (for example training) is undertaken where incidences of non-compliance are discovered. Companies also need to keep detailed Do Not Call lists in addition to maintaining awareness of, and complying with, other regulations such as the Telephone Preference Service (essentially a central opt-out database).

GDPR extends beyond the Board room or the Sales Manager’s desk. It covers the activities of all staff within an organisation who are involved with capturing, storing, processing or using data. Therefore, it is vital to ensure that all staff are up to speed with GDPR and what it means for their day-to-day activities. In fact, probably the most effective way of preventing GDPR breaches is regular and effective training.

With the severe financial and reputational consequences associated with poor cold calling practice causing GDPR compliance it might seem easier to outsource cold calling to an experienced third party. This is becoming the norm for businesses from sole traders and SMEs all the way up to blue chip multinationals. While outsourcing can allow a company to pass on the majority of its GDPR ‘concerns’  to a third party, it is important to note that it doesn’t provide complete legal insulation or a ‘get-out-of-jail-free’ card in the event of non-compliance. It is therefore, vitally important to select a provider with robust  GDPR compliance processes which inform all their actions. With all that said, outsourcing your cold calling can really raise your sales game too, enabling your top closers to concentrate on closing instead of spending all their time trying to book meetings.

Network Scientific has been a leading provider of telephone-based lead generation services to  the scientific sector for almost 15 years. Our sales team is composed of degree-qualified scientists with decades of relevant industry experience, we also employ rigorous information security and actively work to maintain GDPR compliance across our entire organisation. Since 2018, when GDPR came into force, our number of breaches remains at zero. Not only do our clients benefit from experienced scientific salespeople identifying and qualifying high-value opportunities to feed into their sale pipeline, they also have complete peace-of-mind that we are actively protecting them from GDPR non-compliance.

GDPR sets out strict regulations and requirements around all aspects of data storage, processing and use and as such a good understanding of GDPR is fundamental to avoiding financial and reputational consequences so severe that they could present an existential threat to a company. Cold calling, while an incredibly effective means of identifying and qualifying sale opportunities is potentially more impacted by GDPR than any other business activity. For this reason, outsourcing cold calling to a reputable third party makes absolute sense, not only from a commercial standpoint, but also to maintain compliance around your sales outreach.

To discuss GDPR, cold calling and all things scientific sales and marketing, get in touch.