Filter by/
Region/  All
Type/  All
Sorted By/  Most Recent

B2B GDPR – a common sense view and workable expertise, at last

By / / In Best practice /
There aren’t many marketers who don’t already know that, next May, the GDPR (General Data Protection Regulation) is changing. It has caused sleepless nights for many and will lead to fines if not adhered to correctly once the regulation has been enforced. Many offer words of wisdom on the subject of B2B GDPR and how to get it right, but here, a voice of reason rings out, so wake up and read the expertise.
changing gdpr, B2B GDPR

Rosemary Smith, founder/director Opt-4 and the Data Protection Network.

Among the tidal wave of commentary, advice and opinion surrounding GDPR, a handful of people are truly worth listening to. They’re the ones putting serious effort into unpicking the complexity of the 99 articles and 173 recitals before sharing their insights with the business world. One of these is Rosemary Smith (pictured left) of Opt-4.

Rosemary joined a data and content event hosted by Aberdeen recently. You could hear a collective sigh of relief around the room as she presented her expert, common sense interpretation of the regulation for B2B marketers.

Legitimate Interests

It’s not just the depth and breadth of the GDPR that many find challenging. It’s the apparent ambiguities over factors such as ‘legitimate interests’.

On the face of it, companies can process and profile personal data under legitimate interests in place of actual consent in some circumstances. Direct marketing is cited as an example. However, more clarity is needed.


UK Information Commissioner, Elizabeth Denham.

The UK Information Commissioner’s Office is not expected to give official, specific guidance on how legitimate interests apply to direct marketing under GDPR until the new year. But Information Commissioner Elizabeth Denham (pictured right) has pointed out that there is existing guidance under current law, implying that organisations should look at that.

It would be naïve to assume that legitimate interests represent a get-out-of-jail-free card. But naturally, marketers are keen to understand how this might ease the impact of GDPR compliance on core processes.

Rosemary Smith was heavily involved in the Data Protection Network’s joint industry group that published guidance on this issue over the summer. While it doesn’t constitute legal advice, it does at least give a reasoned viewpoint for businesses that want to press on with GDPR preparations.

Central to the DPN guidance is the need to conduct a 3-stage legitimate interests assessment. This involves identifying the legitimate interest, then conducting a necessity test and a balancing test.

B2B GDPR – DPN guidance

  1. Identifying the Legitimate Interest

Identifying a legitimate interest requires organisations to clearly define why they need to process an individual’s personal data. A legitimate interest may be elective or business critical. And the purpose of processing or profiling may be entirely obvious. Nevertheless, it’s crucial that the objective is clearly articulated and communicated to the individual.

  1. Conducting a necessity test

The second stage is to consider whether the processing of personal data is truly necessary. Interpretation of ‘necessary’ is pivotal here. The DPN advises that it may be easiest to ask yourself ‘is there another way of achieving the objective?’.

If there’s no other way, then clearly it is necessary to process the data. If alternative ways would require disproportionate effort, processing may still be deemed necessary. And if there are multiple ways of achieving the objective, a Data Protection Impact Assessment should be used to identify the least intrusive approach. However, if it is not necessary to process the data, legitimate interests cannot be relied upon as a lawful basis for the activity.

  1. Conducting a balancing test

Once you’ve determined that it is necessary to process the data, the next step is to carry out a balancing test. This requires a fair and thorough assessment of the rights and freedoms of the individual, to be sure that these don’t outweigh the interests of the organisation. Considerations range from the reasonable expectations of the individual to the type of data involved and the impact that processing it may have upon the individual.

A core characteristic of GDPR is the need for transparency and accountability. So, conducting the 3-stage assessment does not go far enough in itself. The process, outcomes and reasoning need to be recorded and stored to provide evidence of decision-making rationale if required.

A proportionate, responsible approach

GDPR wouldn’t matter quite so much to marketers if data didn’t play such a vital role in revenue-generating operations. Getting to grips with the requirements and fully understanding the legitimate interests provisioning is essential to develop a proportionate approach to compliance.

A balance needs to be struck here. It’s about protecting personal information while striving to create a frictionless environment for users and automated processes that require data.

Rosemary Smith will be co-hosting a webinar to further explore legitimate interests on Wednesday 22 November. You can register here.

Have an opinion on this article? Please join in the discussion: the GMA is a community of data driven marketers and YOUR opinion counts.

Read also:

GDPR and your data: check you comply . . . then check again

The GDPR consent dilemma: is there an alternative?

GDPR compliance: act in haste, repent at leisure

Judith Niederschelp
Author: Judith Niederschelp

Judith Niederschelp is managing director of Aberdeen Group Europe, a specialist in data-led marketing for technology companies. She has more than 20 years’ international experience in the industry and a deep-rooted understanding of the B2B sector.

Leave your thoughts

Related reading

  • Keep up to date with global best practice in data driven marketing