We've teamed up with the Data Protection Network and OneTrust to bring you a free in-depth report which explores GDPR's impact since it came into force. The report draws on insights from key rulings, the expert view of data protection consultants and the first-hand experiences of organisations which use data extensively. You'll learn about best practice, worst practice and what to expect in the future.
Among the tidal wave of commentary, advice and opinion surrounding GDPR, a handful of people are truly worth listening to. They’re the ones putting serious effort into unpicking the complexity of the 99 articles and 173 recitals before sharing their insights with the business world. One of these is Rosemary Smith (pictured left) of Opt-4.
Rosemary joined a data and content event hosted by Aberdeen recently. You could hear a collective sigh of relief around the room as she presented her expert, common sense interpretation of the regulation for B2B marketers.
It’s not just the depth and breadth of the GDPR that many find challenging. It’s the apparent ambiguities over factors such as ‘legitimate interests’.
On the face of it, companies can process and profile personal data under legitimate interests in place of actual consent in some circumstances. Direct marketing is cited as an example. However, more clarity is needed.
The UK Information Commissioner’s Office is not expected to give official, specific guidance on how legitimate interests apply to direct marketing under GDPR until the new year. But Information Commissioner Elizabeth Denham (pictured right) has pointed out that there is existing guidance under current law, implying that organisations should look at that.
It would be naïve to assume that legitimate interests represent a get-out-of-jail-free card. But naturally, marketers are keen to understand how this might ease the impact of GDPR compliance on core processes.
Rosemary Smith was heavily involved in the Data Protection Network’s joint industry group that published guidance on this issue over the summer. While it doesn’t constitute legal advice, it does at least give a reasoned viewpoint for businesses that want to press on with GDPR preparations.
Central to the DPN guidance is the need to conduct a 3-stage legitimate interests assessment. This involves identifying the legitimate interest, then conducting a necessity test and a balancing test.
B2B GDPR – DPN guidance
- Identifying the Legitimate Interest
Identifying a legitimate interest requires organisations to clearly define why they need to process an individual’s personal data. A legitimate interest may be elective or business critical. And the purpose of processing or profiling may be entirely obvious. Nevertheless, it’s crucial that the objective is clearly articulated and communicated to the individual.
- Conducting a necessity test
The second stage is to consider whether the processing of personal data is truly necessary. Interpretation of ‘necessary’ is pivotal here. The DPN advises that it may be easiest to ask yourself ‘is there another way of achieving the objective?’.
If there’s no other way, then clearly it is necessary to process the data. If alternative ways would require disproportionate effort, processing may still be deemed necessary. And if there are multiple ways of achieving the objective, a Data Protection Impact Assessment should be used to identify the least intrusive approach. However, if it is not necessary to process the data, legitimate interests cannot be relied upon as a lawful basis for the activity.
- Conducting a balancing test
Once you’ve determined that it is necessary to process the data, the next step is to carry out a balancing test. This requires a fair and thorough assessment of the rights and freedoms of the individual, to be sure that these don’t outweigh the interests of the organisation. Considerations range from the reasonable expectations of the individual to the type of data involved and the impact that processing it may have upon the individual.
A core characteristic of GDPR is the need for transparency and accountability. So, conducting the 3-stage assessment does not go far enough in itself. The process, outcomes and reasoning need to be recorded and stored to provide evidence of decision-making rationale if required.
A proportionate, responsible approach
GDPR wouldn’t matter quite so much to marketers if data didn’t play such a vital role in revenue-generating operations. Getting to grips with the requirements and fully understanding the legitimate interests provisioning is essential to develop a proportionate approach to compliance.
A balance needs to be struck here. It’s about protecting personal information while striving to create a frictionless environment for users and automated processes that require data.
Rosemary Smith will be co-hosting a webinar to further explore legitimate interests on Wednesday 22 November. You can register here.
Have an opinion on this article? Please join in the discussion: the GMA is a community of data driven marketers and YOUR opinion counts.
Please register below to unlock this article.
An email will be sent to you with your membership details.