Project Methodology, GDPR & Data Security Compliance
To ensure our service delivery is compliant with GDPR (General Data Protection Regulations) coming into force in May 2018, we have implemented robust data security and a granular approach to GDPR consent management.
While GDPR codifies many of our B2B lead generation existing practices, it requires additional processes, staff training, data security and reporting systems.
Legal basis for outbound telemarketing under GDPR
Under Recital 47 of the GDPR and Article 16 of the European Charter of Fundamental Rights, outbound B2B telemarketing is possible on a legitimate interest basis as long as opt-out is provided during the call and that the call list is first screened against our client’s in-house opt-out list and the CTPS.
Establishing the legitimate basis for contacting each lead
The ‘legitimate interests’ clause in Article 6 (1) provides a lawful basis for storing and processing data for this purpose. However, it is necessary to establish and record the case for legitimate interest in each campaign and for each target market. To do this we systematically conduct and record a three-part test, in accordance the CIO guidance.
1) The Purpose Test: Are we pursuing a legitimate interest?
Providing the product and / or service being promoted corresponds to the job function and responsibilities of the target contact data set, then undertaking B2B telephone marketing to individuals within target organisations, (who have not previously objected to you and whose numbers are not listed on the CTPS), is permissible.
2) Necessity test: Is processing necessary for that purpose?
Telemarketing delivery requires the processing and recording key contact data including ‘Personally Identifiable Information’ (PII) covered by GDPR. This PII is typically not defined as sensitive data and is limited to name, job title, business email and occasionally business mobile phone.
At JSM we have a policy of data minimisation, with documented limitations on how much data is collected and how long it’s kept for. This is agreed with our client (GDPR Controllers) at the outset of any project.
B2B telemarketing has a high cost per contact form of marketing and is, therefore, employed where other routes to market are ineffective at reaching a particular audience or fail to articulate a complex and high value proposition effectively.
3) Balancing test: individual’s interests v's legitimate interest?
Each case is assessed on its individual merits. B2B telemarketing seldom involves processing of sensitive information. Any PII is typically limited to name, job title, business email and occasionally business mobile phone.
Much of this data often already in the public domain and, therefore, we can reasonably expect that processing this data will have a minimal impact on privacy and no discernible impact on the ‘fundamental rights and freedoms’ of the data subject.
At JSM, we employ internal best pratice guideleines and ‘safeguarding’ proceedures designed to minimise the risk to every individual’s privacy. These are set out in more detail below.
Acting as a data processor delivering telemarketing campaigns on behalf of our clients, we are committed to ensuring best practice GDPR compliance.
Set out below are the processes and system we employ to deliver this:
As Processors it is our responsibility to ensure that we:
- Obtain and / or process the personal data fairly
- Keep data only for one or more specified and lawful purposes
- Keep it accurate and up-to-date
- Ensure that it is adequate, relevant and not excessive
- Retain it no longer than is necessary for the specified purpose or purposes
- Give a copy of his/her personal data to any individual, on request.
Processes & Safeguards
GDPR Article 24 requires Controllers and Processors to ‘implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance’ with the GDPR.
1 Operational Safeguards
JSM maintains a series of operational safeguards to help minimise the risk of data loss or misuse of personal data in any way. These include:
- Establishing documented limitations on how much data is collected and how long it’s kept for. This is dictated by the product or service life cycle and associated procurement timescales.
- Limiting the number of calls placed to individuals within a given time frame to reduce the level of inconvenience to them.
- Ensuring we clearly articulate the origin and purpose of each call, gaining consent for the call at the outset, clear agreement on any follow up actions and ensuring an opt out option is provided.
- Implementing an internal training program detailing how to handle requests for information about our client’s organisation and the data that it holds on prospects or customers.
- Maintaining a transparent and auditable process for managing requests to make corrections to or delete wrong information.
- A clear reporting process to ensure these requests are escalated to our clients so that any duplicate copies of data held by the Controller can also be amended or deleted.
2 Data Security Safeguards
While privacy enhancing technologies help protect against data breaches, vulnerabilities of a single on-demand service supplier’s platform are rare compared with those of in-house systems.
A single integrated SaaS environment with enterprise level security
Following a security review in 2016, JSM decommissioned legacy in-house servers and PBX, migrating to a single secure cloud hosted system, Bitrix24. Bitrix24 provides fully integrated CRM, task management, document management & storage, activity stream, email client, telephony, IVR, call logging and call recording capability.
A highly secure turnkey intranet solution, Bitrix24 provides a robust GDPR compliant platform and reporting solution, moving all data from network silos and local drives to a well-protected centralised repository.
Bitrix24 – Platform Security
Bitrix uses 2 step password authorisation with all client information accessed via a secure SSL connection and hosted at Amazon’s HIPAA, ISO 27001, SOC 1/2/3, Directive 95/46/EC and PCI DSS Level 1 accredited Frankfurt Data Centre with daily back ups.
All data centers used by Bitrix24 are protected in compliance with SAS 70 Type II (which includes access to the physical storage media based on biometric data and maximum protection against intrusion) and conform to the Safe Harbor standard.
Bitrix24’s security https://www.bitrix24.com/security/
Profiles, Roles & Access
Bitrix24 employs user profile access restrictions help ensure PII data protection by design and by default.
Access to data contained in Bitrix24’s CRM is defined by the users Role. A JSM Director acting as project lead will have the ability to Delete, Import or Export leads. The JSM Telemarketing Executive working on a campaign will only be able to Read, Add and Update CRM records. Data relating to any campaign is only visible to team working on that campaign.
Bitrix24 Administrators can view employees’ activity logs in order to identify suspicious activity as well as to manage campaign activity.
Activity Logging & Data Currency
Bitrix24 uses automated activity logging to provide auditable control of processing activities.
All events including phone calls, messages and GDPR PII data modification requests related to a contact are easily logged and further interaction (tasks) can be scheduled and allocated.
Bitrix24 has fully featured VoIP PBX integrated into the CRM. Telephones calls are made directly from the CRM through a secure, high-quality connection. Each call is automaticaly logged against the record with the option to record the conversation. Recorded audio files can be appended to the client’s record. This feature can be utilised to provide documented legal consent for future contact.
Client Owned Installation
In meet GDPR’s ongoing requirement to maintain proof of consent and clear data ownership, we can facilitate a seperate, client specific installation of Bitrix24. A dedicated campaign telephone number can be rented and any post campaign or out of hours inbound calls auto forwarded to the client’s switchboard.
Configured and managed by JSM for the duration of the campaign, the Bitrix24 installation contact is between Bitrix24 and the client. At the conclusion of the campaign, JSM access privileges can be revoked and ownership and access to the campaign data set is retained by the client. This data set includes all call recordings.
Processor & Controller Responsibilities
Outbound lead generation GDPR compliance requires commitment from both data Processors and data Controllers.
As 3rd party data Processors, we process personal data only on documented instructions from the Controller. Where the Controller provides either the contact data set or instructs us on data set composition (e.g target job role), JSM reserve the right to request legal advice at the Controllers expense before proceeding where reasonable concern exists over legality of legitimate interest as a basis for contact.
As 3rd party Processors, our GDPR responsibilities cover the work undertaken by us on behalf of our clients as defined by the terms of the contract. At the completion of the contract, all data is handed over to the client. No copies or access to copies of PII data are retained by JSM. All responsibility for subsequent use and maintenance of the data reverts to the Controller.