One of our members recently asked this…
‘We have checked our marketing database and can see we do not meet either the GDPR consent criteria or the criteria for the ‘soft opt in’ under PECR Regulation 22 as mentioned in your previous article ‘Email marketing when your consent is not up to GDPR standards’. I understand I can’t send an email asking people to consent to further marketing emails, as that email itself will be considered as marketing, but can I call these people to get consent?’
Live phone calls are covered by Regulation 21 of the PECR. This allows businesses to make unsolicited marketing calls to people. However, before making a call, the business has to check that the person is not registered with the Telephone Preference Service (TPS). If a person is on that list and so doesn’t want calls, you cannot call them unless you have specific permission otherwise from that individual. So, if you check the TPS and your customer is not listed on there, you can call to ask them to consent to future email marketing but you are advised to keep a clear record of the conversation and date. You must make a note of anyone who doesn’t wish to receive further calls and check that list each time you make such calls in the future. You must not withhold your number when making these calls.
If your marketing call is to another business you will need to check both the TPS and the CTPS as some businesses (sole traders and the like) will be registered with the TPS and some will be registered with the CTPS (limited companies). However if the business is not on either list, you can continue to call them. Under GDPR, you would probably cite legitimate interest as your ground for processing.
On average 55 vulnerabilities are identified daily.
What can I do?
Review your organisations priorities and ask ‘can we afford a breach?’. What do I do during an incident? Who do I involve? When do I involve the ICO?
If you’re unable to answers these questions, you need help from the experts.