This isn’t actually the case, however, you will need to be more careful with the personal data you process. GDPR, however, doesn’t make cold emailing or calling illegal. GDPR regulates how we can process personal data. When sending a cold email to an employee at firstname.surname@ company.com, you process his/her personal data. Hence, you need to respect GDPR and its principles. Article 6(1)(f) gives you a lawful basis for processing where:
“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
This can be broken down into a three-part test:
How can you apply legitimate interests in practice?
The ICO website has the following outline on how to assess whether you can rely on Legitimate Interests. The ICO refer to this as a legitimate interests assessment (LIA) and you should do it before you start the processing.
An LIA is a type of risk assessment based on the specific context and circumstances. It will help you ensure that your processing is lawful. Recording your LIA will also help you demonstrate compliance in line with your accountability obligations under Articles 5(2) and 24. In some cases an LIA will be quite short, but in others there will be more to consider.
First, identify the legitimate interest(s). Consider:
Second, apply the necessity test. Consider:
Third, do a balancing test. Consider the impact of your processing and whether this overrides the interest you have identified. You might find it helpful to think about the following:
You then need to make a decision about whether you still think legitimate interests is an appropriate basis. There’s no fool proof formula for the outcome of the balancing test – but you must be confident that your legitimate interests are not overridden by the risks you have identified.
So how does this leave your inhouse marketing and sales teams? Taking into account the GDPR and e-Privacy Directive, it does seem sufficient to offer an opt-out when engaging in direct marketing via e-mail or telephone This means that consent is not strictly needed. However, the e-mail must concern a “similar service or product” or the recipient must have a legitimate interest in your product.
In all other cases, it is definitely safer to work with an opt-in system consistent with the GDPR. This may be a bit onerous at first, but it is also the path of least resistance. And be sure to keep an eye on developments around the e-Privacy Regulation!
If you want to read more about how the GDRP will affect you and your business with regards to email and telephone marketing, find out more here
We strive to give you the best knowledge and expertise, drop us a message and our team will respond to your enquiry as soon as possible