Data Compliance with Cold Callers

It’s the afternoon, I’m at work and getting on with my day. Suddenly, I have a random phone call:


Cold Caller: 

“We were informed you had an accident”



“Where did you get my Information from?”


Cold Caller: 

“Was the accident your fault?”



Puts the phone down…


Now, I know you will have experienced something similar; it leaves you wondering how they even managed to get your phone number and that they can’t surely be legally allowed to do this? Well, technically, they can!

Cold callers being compliant with GDPR compliance is somewhat a ‘balancing act’. There are a number of ways that a company can cold call you without always having your consent and still remain compliant. I am going to explore how this is possible and what measures are in place to make sure your data and rights are protected.

The Main Ways a Business Can Cold Call in line with GDPR

Knowing how your business is GDPR compliant is difficult enough, it’s a complex issue which many established businesses struggle to understand, even now! Under the laws of GDPR, there are two relevant ways or ‘clauses’ that a business can legally store your personal data and use it to contact you via telemarketing.

Explicit Consent

An obvious one. Cold callers are able to use your information to call you if you have provided them with your consent. The law states that you must explicitly give the business your consent to store your information, but you must also know clearly what this information will be used for. If you are aware that your information can be used for telemarketing, then that business will legally be able to ‘cold call’ to market their product/or services. However, if you have given permissions to be sent marketing materials via something other than telemarketing, then these businesses are not allowed to cold call. While this may still happen it is important to understand that it isn’t compliant.

Furthering Legitimate Interests

The second clause allows the processing and retention of information for direct marketing purposes (cold calling) if it is in the legitimate interests of the business. Essentially confirming businesses the right to use cold calling for marketing purposes to generate a profit or for the betterment of their business.

This is where the ‘balancing act’ comes into play with cold calling and GDPR. To break it down, you do not necessarily need to have explicit consent when using the principle of legitimate interest for your marketing efforts.

While you may look at this and think that your rights and data are not protected by this principle, this clause can only be used for cold calling if the businesses follow a series of steps which ensures the safety of you and your data.

How GDPR ensures you are still protected (and businesses stay compliant)

Under GDPR, those who are cold calling are required to report and officially document their campaign’s legitimate interest. As well as this, you are required to take into consideration the rights of the individual you are calling. Businesses are not able to cause distress to individuals when using their data and need to consider the potential distress that they may cause through their cold call efforts.

GDPR Compliance and Cold Calling


Businesses that cold call must also have an easy opt-out policy and clear privacy statement that can explain to those who are being called where their data came from. This brings us back to the call I mentioned earlier: in situations such as that, you are well within your right to ask to opt-out and under GDPR compliance, the cold callers are obligated to remove you from their database. While they may be reluctant to do so, retaining this data will be in breach of GDPR compliance and can result in fines and penalties for their business.

What does this mean?

Unfortunately, for those who hate cold callers, there is not much you can do to avoid being called. However, you can find satisfaction in knowing that you are within your right to opt-out of marketing via cold calling and if they continue to call after you opt-out, we recommend that they are reported. 

For the businesses who are using cold calling as a direct marketing method… Are you being fully GDPR compliant? 


At 6S, our GDPR consultancy services will enable you to fully understand what GDPR risks your organisation faces and what your priorities should be in terms of remediation activities. Working with us can improve the functionality of your businesses compliance, ensuring that there are no bumps in the road for your marketing campaigns.


To conclude this blog, I’ll leave you with my approach to cold callers…


“I don’t know who you are. I don’t know what you want. If you are looking for a quick buck, I can tell you I don’t have money, but what I do have are a very particular set of skills. Skills I have acquired over a very long career. Skills that make me a nightmare for people like you. If you remove my data from your system that’ll be the end of it. I will not look for you, I will not pursue you, but if you don’t, I will look for you, I will find you and I will get you reported to the ICO!”