Blogs & ideas

Understanding legitimate interest: The marketer's GDPR guide

Handshake

By Tim Holt 4 min read

Yellow lightbulb icon
#DataHQIDEAS

The new General Data Protection Regulation (GDPR) will apply from 25th May this year. The Information Commissioner’s Office (ICO) are making efforts to clear up the confusion around this forthcoming Data Protection law, however, a subject many marketers remain confused about is the concept of ‘legitimate interest’, and specifically, what role legitimate interest will play in the future when it comes to sending marketing communications to customer databases.

What Is Legitimate Interest?

GDPR requires personal data to be processed lawfully, and one of the six lawful basis for processing is that it is in the 'legitimate interests’ of the controller or third party.

Article 6(1)(f) of the GDPR defines this legal ground for data processing as where it is ‘Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject’.

The 47th Recital of the GDPR text, which accompanies this provision, says that the ‘processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest’.

Many, mistakenly, see this as giving them the freedom to carry on as they are. Sadly, it’s not quite that simple.

The important thing to acknowledge is that there is a significant difference between “processing personal data for direct marketing” and “sending direct marketing”.

If you wish to send direct marketing (like emails) to individuals, this, in most cases, requires the following:

A legal basis for processing (i.e. storing in a database) the personal data. This can be based on a legitimate [business] interest, but you should conduct an assessment before assuming you have one;

Consent / opt-in (to the GDPR standard of consent) if marketing to individual consumers (not necessary for B2B incorporated contacts)

Even at this stage, businesses are uncertain whether they can tick both boxes, or may unable to demonstrate compliance.

For marketers, there are certain business activities where consent is difficult or impossible to obtain, and therefore relying on the lawful basis of legitimate interest is the most viable option. These activities include:

1. Suppressions - Limited data may need to be retained to ensure marketing is no longer sent to an individual who has opted out.

2. Personalisation – While consent is needed for marketing communications, a business dependent on personalisation to inform its marketing strategy e.g. a travel agency, can justify its need to tailor its offering to customers using their personal data.

3. Direct Mail – Where obtaining consent is not viable, for example a charity sending a postal mailshot to existing supporters, may want to use legitimate interests. However, they will still need to ensure they can establish necessity and balance their interests with the interests of those receiving the direct marketing communication.

4. Updating customer details & preferences – Controllers have to be careful as to how such activity is carried out. For example, if you use a third party to verify the accuracy of customer data then you need to ensure the necessary usage consent is in place.

How can marketers demonstrate Legitimate Interest?

In all instances of using legitimate interest – be it marketing, credit checking, risk assessment – there remains the following requirements:

To justify that your plans to use their data are necessary and proportionate to the business objectives sought

To make it clear to individuals how you plan to use their data

That you have given individuals a clear, easy opportunity to exercise their right to object to this data processing

In order to fulfil these important requirements, organisations should conduct a Legitimate Interest Assessment. This can be used to demonstrate that the processing is a necessary, proportionate and fair means to achieve the objectives of the marketer, (i.e. to generate business), and that this processing would equally be in the interests of the data subject. The results of an assessment of legitimate interests must be documented and made available to the relevant authorities if needs be.

Part of this assessment includes a Balancing Test. This will establish whether your interests outweigh those of the data subject (which they shouldn’t). Where processing is clearly against the wishes of the data subject a legitimate interest could not be demonstrated. Would the data subject anticipate the processing? Will it have an impact on their privacy that would be unreasonable in the circumstances?

So, is legitimate interest an easier lawful basis to rely on than consent? We’re not sure it is! However, where justified, it remains an important alternative when consent is not possible, to ensure you stay on the right side of GDPR.

For further information, the ICO has provided a guide to using legitimate interests as a lawful basis for processing.

Further reading: Data HQ's complete guide to the GDPR

Share this blog

Our stories and ideas direct to your inbox