Filter by/
Region/  All
Type/  All
Sorted By/  Most Recent

GDPR: legitimate interest pitfalls & how to avoid them

By / / In Best practice /
How can marketers navigate the details of the incoming GDPR to avoid legitimate interest pitfalls? In Recital 47 of the GDPR, legitimate interest is described as 'processing of personal data for direct marketing purposes', but these words have created the common misunderstanding that this means all marketing and even soft opt-ins. Guy Hanson says this is not the case and not all email marketing or all sending of direct marketing material is permitted. Here’s what the wording doesn’t say.
legitimate interest pitfalls , fake data

Under the upcoming General Data Protection Regulation (GDPR), organisations established or operating in the EU must have a legal basis for processing personal data. The GDPR provides for six legal bases for such processing: consent; legitimate interest; contract; legal obligation; vital interests; and public tasks. Most organisations looking to acquire new customers or users will look to consent or legitimate interest as the permissible basis for processing. However, legitimate interest has been a source of confusion for some marketers attempting to navigate it.

In March this year, the Information Commissioners Office (ICO) released a set of updated guidelines on Legitimate Interest. While it doesn’t necessarily answer all the questions that marketers ask about the GDPR, it does provide some clarity on what tends to be quite a murky topic.

Privacy and Electronic Communications Regulations and the GDPR

When looking at the ICO’s guidelines for legitimate interest, there’s a clear emphasis on a proportionate use of data for electronic marketing efforts. In fact, the most vital part of the ICO’s guidance document is that you can rely on legitimate interests for marketing activities, but only if you can show that you’ve used people’s data in an ethical way that does not significantly impact their privacy. Although some could argue that this is a subjective criterion, the guidelines state that people ‘would not be surprised or likely to object – but only if you don’t need consent under the Privacy and Electronic Communications Regulations (PECR)’.

Indeed, GDPR doesn’t operate in a vacuum. For purposes of direct marketing, organisations and marketers must keep in mind how the GDPR works with the PECR, as well as other pieces of legislation and guidance, such as the Companies Act, the distance selling regulations (DSRs) and the UK Code of Non-broadcast Advertising, Sales Promotion and Direct Marketing (CAP Code). The PECR provides supplemental consent rules for marketing sent over phone, fax, email, SMS and other electronic communication channels, and is currently being updated. If marketers plan to process personal data for the purposes of direct marketing electronically, it’s vital to understand which regulation imposes the higher duty of care on their program.

Soft opt-ins as a compliant alternative  

Interestingly, the ICO’s Legitimate Interest Guidance suggests that the existing soft opt-in exemption qualifies as legitimate interest. The term ‘soft opt-in’ is sometimes used to describe the rule about existing customers. The idea is that if an individual bought something from you recently, gave you their details, and did not opt out of marketing messages, they are probably happy to receive marketing from you about similar products or services even if they haven’t specifically consented. However, you must have given them a clear chance to opt out – both when you first collected their details and in every message you send thereafter.

Soft opt-ins are an effective data capture and engagement method for email marketers and can be achieved through a set of criteria that can keep marketers’ noses compliantly clean. Firstly, they must have obtained the customer’s contact details during a sale (or simply through the negotiations of a sale, which are outlined in the ICO’s Direct Marketing guidelines, specifically in articles 134 to 136) of a product, or service to that person. They will also only be able to market their own similar products and services. Finally, they would have needed to give the person a simple opportunity to refuse or opt out of the marketing during all communications.

Avoiding legitimate interest pitfalls

To establish with confidence that legitimate interest genuinely exists, organisations should analyse and document both the necessity of the particular processing and their conclusion after balancing the interest of the processing with the rights of data subjects. This is referred to by some as a Legitimate Interest Assessment (LIA). As to the necessity of the processing, we suggest getting in the habit of asking: can the same objective be achieved without processing personal data? If the answer is Yes, then the best practice is to move away from legitimate interest as the basis for processing and obtain consent. To meet the requirements of the LIA, marketers need to meet the three key principles, so purpose, necessity and balance need to be demonstrated in materials.

If the answer is No, the objective cannot otherwise be achieved, a good next step is to ask: is the need for processing outweighed by the interests or rights of the data subjects? When answering this, it’s important to remember that data subjects have a right to object to legitimate interest as a basis for processing and that objection can be overcome only with ‘compelling’ reasons set out by the processing organisation.

Given these constraints, when relying on legitimate interest as the basis for processing, data owners should have a process in place to keep a written record of the necessity and balancing conclusions. This is especially important where the data subject is a child. And, as a general practice, it will help avoid legitimate interest pitfalls and demonstrate proper consideration was given to the need for processing and the rights and freedoms of the individuals whose data is being processed.

A note on notice: If an organisation relies on legitimate interest as the basis for processing personal data, it is required that the organisation let the individuals whose data is being collected know what the legitimate interests are and that they have the right to object. This can be done at the point of data collection or, in the case of the notice to object, in the section of a privacy notice that deals with individuals’ rights.

As with all things GDPR and privacy-related, the best way for marketers to do this is to be upfront and transparent about their processing activities, and otherwise reverting to consent as their legal basis for processing of personal data.

Have an opinion on this article? Please join in the discussion: the GMA is a community of data driven marketers and YOUR opinion counts.

Guy Hanson
Author: Guy Hanson
Senior director of professional services at Return Path |

Guy Hanson is also the email council chairman at the UK DMA.

Leave your thoughts

Related reading

  • Keep up to date with global best practice in data driven marketing