GDPR And Cold Calling In The UK

When Can You Make Cold Calls Under PECR?

PECR draws an important line between live calls and automated calling systems (pre-recorded messages):

• Live marketing calls to individuals (consumers, sole traders, and most partnerships): You can usually rely on “opt-out” rules - you don’t need prior consent, but you must not call anyone who:
  • Has told you they don’t want your calls; or
  • Is listed on the TPS.
• Live marketing calls to businesses (limited companies, LLPs): You can usually call, but you must not call numbers listed on the CTPS or where the business has objected.
• Automated marketing calls (pre-recorded): You must have prior consent. No consent = no automated calls.

PECR also requires you to display your number (no number withholding) and identify who’s calling. You must give a clear, easy way to opt out during the call and you need to honour that opt-out promptly.

How Does GDPR Apply To Cold Calling?

GDPR (as retained in the UK) applies because you’re processing personal data to make the call, even if you obtained the number from a third party. Here’s what this means for your campaign:

1) Choose A Lawful Basis

Most businesses rely on legitimate interests for live sales calls. You should complete and document a Legitimate Interests Assessment (LIA): identify your interest (e.g. promoting your services), show the call is necessary, and balance your interests against the person’s rights. If you can’t justify this, or you’re planning intrusive profiling, consider whether consent is realistically required (it will be for automated calls).

2) Respect The Right To Object

Under GDPR, individuals can object to direct marketing at any time. If they say “don’t call me” - verbally or in writing - you must stop. Keep an internal “do-not-call” suppression list so you don’t contact them again.

3) Be Transparent (Privacy Information)

You need to tell people how you got their number and how you’ll use their data. If you collected details from the person directly, make sure your Privacy Policy and call script cover this. If you sourced data from a third party, Article 14 requires you to provide a privacy notice within a reasonable time (usually within a month, or at the first communication).

4) Keep Data Accurate And Up-To-Date

If a number is wrong or results in a persistent objection, update your records and suppression lists quickly. Inaccurate data can increase complaints and compliance risk.

5) Limit Retention

Don’t keep call lists longer than necessary. Set (and follow) a retention period aligned with your marketing cycle and any legal hold needs. This is a key plank of GDPR compliance and links directly to your data retention policy.

6) Secure Your Data

Use appropriate technical and organisational security measures. If you use a dialler platform or outsource calling, make sure you have the right contracts in place - typically a Data Processing Agreement with processors that handle personal data for you.

7) Enable Data Rights

Have a process to recognise and respond to subject access requests, corrections, objections and deletion requests within statutory timelines. Building this into your CRM workflow will save time and reduce risk during busy campaigns.

B2B vs B2C Cold Calling Rules (And TPS/CTPS) Explained

Under PECR, “individual subscribers” (consumers, sole traders and some partnerships) get stronger protection than “corporate subscribers” (limited companies, LLPs and some government bodies). The practical impact:

• B2C (individual subscribers): You can make live sales calls unless they’re on the TPS or have told you not to call. You must identify yourself, display a number, and offer an opt-out on every call.
• B2B (corporate subscribers): Live calls are permitted unless the number is on the CTPS or the business has objected. Don’t assume B2B means “no rules” - PECR still applies, and GDPR will apply if the data identifies a living person (e.g. named direct lines, mobiles).

Whichever audience you target, build a robust suppression process. Check numbers against TPS/CTPS before calling and at regular intervals, keep proof of your checks, and immediately add any “do not call” requests to your internal list.

Building A Compliant Cold Calling Workflow (Step-By-Step)

Here’s a simple blueprint you can adapt to your business size and sector.

Step 1: Map Your Data And Purpose

• What personal data will you use? (names, numbers, job titles, notes)
• Why are you calling? (specific product/service promotion)
• What lawful basis applies? (usually legitimate interests for live calls; consent for automated calls)

Step 2: Clean And Screen Your Lists

• Source leads responsibly. If buying data, carry out due diligence on how consent/collection was obtained and document it.
• Run TPS/CTPS screening and record when checks were completed.
• Remove existing customers who’ve opted out or complained.

Step 3: Prepare Transparent Scripts

• Identify your business and display a valid number.
• Say why you’re calling and, if asked, where you got their number.
• Offer a simple opt-out (“If you’d prefer we don’t call again, just let me know”).
• Train agents to log objections immediately and mark the record “do not call”.

Step 4: Update Your Privacy Information

• Make sure your website Privacy Policy covers direct marketing, your lawful basis, sources of data, retention and rights.
• Prepare an Article 14 notice template for data obtained from third parties.

Step 5: Put The Right Contracts In Place

• If a provider hosts your call platform or provides agents, they’re likely a data processor - put a Data Processing Agreement in place.
• For data sharing with partners (not acting as processors), consider a Data Sharing Agreement to allocate responsibilities.

Step 6: Set Retention And Suppression Rules

• Define how long you keep call lists and notes - then enforce it via your CRM.
• Maintain an internal “do-not-call” list and ensure it’s checked before each campaign.

Step 7: Train, Monitor And Document

• Train staff on PECR/GDPR basics, scripts, and how to handle objections and data rights.
• Log TPS/CTPS checks, LIA outcomes, and opt-out handling - this evidence helps if the ICO investigates.
• Plan for data rights workflows, including handling SAR deadlines.

What Should Your Cold Calling Script Include?

A good script is your front-line compliance tool. Keep it short, natural and compliant:

• Clear identity: “Hi, it’s Alex from Example Ltd.”
• Number presentation: Make sure your outbound number is displayed.
• Purpose: Briefly explain why you’re calling and the value to the recipient.
• Transparency: If asked, be ready to explain where you sourced their details and point to your Privacy Policy.
• Opt-out: Include a simple, verbal opt-out line and record any objections immediately.

If you’re calling existing customers, tailor the script accordingly - you may have a stronger legitimate interest, but the right to object still applies. If you’re ever using pre-recorded messages, get consent first and keep robust evidence of that consent.

Key Pitfalls To Avoid (Common ICO Issues)

• Calling TPS/CTPS numbers: Always screen your lists before dialling.
• Ignoring objections: Failing to log and honour “don’t call me” requests is a fast track to complaints.
• Using bought lists without checks: If a broker’s data is stale or unlawfully sourced, you share the risk.
• No transparency: Not telling people who you are, why you’re calling, or where you got their number undermines trust and compliance.
• Overlong retention: Keep call notes and lists only as long as needed, in line with your data retention policy.
• Missing records: If challenged, you’ll need to show when TPS checks occurred, how you conducted your LIA, and how opt-outs are actioned.
• No ICO registration: Most organisations that process personal data must pay a data protection fee - check whether you need to pay or fall under an ICO fee exemption.

Do You Need Consent For Cold Calling?

It depends on the type of call:

• Live sales calls: Usually, consent isn’t required - but you must comply with PECR’s opt-out regime (respect TPS/CTPS and honour objections) and have a GDPR lawful basis (typically legitimate interests).
• Automated calls: You must have prior consent, which must be freely given, specific, informed and unambiguous. Keep records of how and when you obtained it.

Consent is rarely practical for large-scale live calling, so tight screening, clear scripts and solid suppression processes are essential.

Buying Call Lists: What Due Diligence Should You Do?

Plenty of businesses source third-party lists. If you do, take extra care:

• Get written assurances on data provenance, collection method, and recency.
• Check whether numbers are individual or corporate subscribers; screen against TPS/CTPS yourself regardless of what the broker claims.
• Audit a sample for accuracy and duplication.
• Ensure your privacy information under Article 14 is provided on time after first contact.

If the broker can’t demonstrate compliant collection, don’t use the data. You’ll bear the risk if the ICO investigates.

What If You Record Calls?

If you record calls (for training or quality), let people know at the start and explain why. Under GDPR, you’ll still need a lawful basis, strong security, and a defined retention period. Build this into your business calls policy and scripts, and make sure your processors (dialler platforms, cloud storage) are covered by a Data Processing Agreement.

How Do Cold Calls Fit With Other Marketing Channels?

Cold calling is just one piece of your marketing mix. The rules differ for other channels (emails, SMS, social DMs), especially around consent and the “soft opt-in”. If you’re planning multi-channel campaigns, align your processes with the PECR rules on email marketing laws and, for certain scenarios, the soft opt-in.

Key Takeaways

• Cold calling in the UK is governed by UK GDPR/DPA 2018 and PECR. Live calls generally don’t need consent, but you must screen against TPS/CTPS and honour objections immediately.
• Automated marketing calls require prior consent - keep robust evidence or avoid this channel.
• Choose and document a GDPR lawful basis (usually legitimate interests for live calls), provide clear privacy information, and maintain strong suppression and retention processes.
• Build compliance into your workflow: TPS/CTPS screening, transparent scripts, quick opt-out handling, secure systems, and the right contracts (e.g. a Data Processing Agreement with providers).
• If you buy data, do proper due diligence. If provenance is unclear or consent is missing for automated calls, don’t use it.
• Keep your privacy documentation up to date, prepare for subject access requests, and check whether you must pay the ICO data protection fee.

If you’d like help setting up compliant scripts, policies and contracts - or you need a tailored Privacy Policy and data protection pack for your sales team - you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.