Here’s a 10 point checklist to ensure lead generation GDPR compliance:

1. Which legal basis

The first thing any marketing department needs to do is to decide on the legal basis upon which they will market to consumers across different channels. For lead generation this means asking yourself whether you need explicit consent directly from consumers, or can you rely on contractual agreements or legitimate interest?

2. Channel-specific regulations

Legal obligations will vary for each marketing channel (telephone, SMS, email, post etc.) so it’s important to dig into the details of the legislation for each. Furthermore, marketers must adhere to the Privacy and Electronic Communications Regulations

(PECR), as well as GDPR, so it’s vital to establish compliance with both laws.

3. Telephone Preference Service

One of the fundamental parts of PECR is that if your organisation are relying on legitimate interest under GDPR, and wish to conduct telemarketing activities, you must check that the people you wish to call have also not opted out through the Telephone Preference Service (TPS).

4. Contracts

Once you have decided how you want to justify lead generation under the relevant legislation, this needs to be implemented in the contracts you have with all partners and lead generators. The way you do this will vary contract by contract.

5. Company directors

Use the Companies House register to look into the background of the company directors of each of your partners, be wary if they have been involved in companies that have been dissolved, especially large numbers or through insolvency or administration. Also, run a credit check on providers using a service such as Experian.

6. Policies and procedures

Ensure your partners have robust, compliant policies to deal with subject access requests, complaints and other incidents. If you identify a data collection or handling activity that is not documented stop working with that partner until they can provide sufficient documentation.

7. Minimise the risk of breaching GDPR

Minimising the amount of data that is being collected has many benefits including lower cost, higher conversion rates, and lower risk of breaching regulations. Revisit the business goals for your campaigns and ensure that you’re only collecting data that is essential to the success of the campaigns being run. For example, if your only planning to contact people via email, you don’t need to collect postal addresses. This will not only minimise the amount of data being collected but also re-focus optimisation efforts.

8. Continuous scrutiny

Lead generation is a fluid process, so it’s important to conduct regular performance reviews and audits. When taking on a new partner or supplier, review performance daily for the first two weeks and then weekly from there onwards. If performance (i.e. cost per lead or cost per action) varies by more than 50% across a single supplier, ask them to provide you with a list of their traffic sources and check they are all compliant. If you have any concerns, stop working with that partner.

9. Complaints

Complaints usually mean that the supplier is not effectively communicating how the data being collected will be used and consumers are confused about why you’re contacting them which will damage your brand reputation. Regardless of the volume of leads delivered by a supplier, you should not receive complaints.  

10. Management changes

Look for changes in management or rapid turnover of staff. Credit check new company directors and the status of the company’s credit check. If you see that any new directors have a poor track record or that the supplier is getting into financial difficulty, stop working with them and investigate the causes.