Over recent weeks, the Information Commissioner’s Office (ICO) has made efforts to clear up some of the confusion around the forthcoming Data Protection Bill, better known as GDPR. However, while the ICO’s ‘myth busting’ blogs have covered several topics, none have broached a subject many marketers remain puzzled about: Legitimate interest.
More specifically, what role legitimate interest will play in the future when it comes to sending marketing communications to your customer database.
Much of this confusion comes from a single line within the GDPR text, which says that the “processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”.
Many, mistakenly, see this as giving them the freedom to carry on as they are. Sadly, it’s not quite that simple.
The important thing to acknowledge is that there is a significant difference between “processing personal data for direct marketing” and “sending direct marketing”.
If you wish to send direct marketing (like emails) to individuals, this, in most cases, requires the following:
- That you sought their consent to receive marketing communication
- That these communications comply with the existing electronic communications laws (PECR)
- That you collect, store, process, share and use their data within data protection laws
Even at this stage, businesses are uncertain whether they can tick all these boxes, or at least cannot prove it.
This explains why so many are hoping to re-permission their existing customers with ‘double opt-in’ consent ahead of the new data protection laws. For example, asking customer to tick a box on a website to consent to marketing, then reply to a follow-up email to confirm it.
Be warned, though – this approach isn’t without its dangers. Earlier this year, two companies received fines totalling £83,000 for sending re-permission emails to individuals who never originally gave consent.
Yet, gaining customer consent isn’t always practical, or even possible, in other areas of marketing. This is where legitimate interest starts to become useful for “processing personal data”.
For marketers, legitimate interest actions where consent is otherwise difficult or impossible to obtain, include:
- Suppressions – Limited data may need to be retained to ensure marketing is no longer sent to an individual who has opted out.
- Website personalisation – While consent is needed for marketing communications, a business dependent on personalisation to inform its marketing strategy (a travel agency, for example) can justify its need to tailor its offering to customers using their personal data.
- Direct marketing – where obtaining consent is not viable, for example a charity sending a postal mailshot to existing supporters, may want to use legitimate interests. However, they will still need to ensure they can establish necessity and balance their interests with the interests of those receiving the direct marketing communication.
But what is “legitimate interest” and how can marketers demonstrate it? In all instances of using legitimate interest – be it marketing, credit checking, risk assessment, compliance with law enforcement, and so on – there remains the requirement for several things:
- To justify that your plans to use their data are necessary
- To make it clear to individuals how you plan to use their data
- That you have given individuals a clear, easy opportunity to exercise their right to object to this data processing
Part of this assessment includes a Balancing Test. This will establish whether your interests outweigh that of the data subject (clue: they shouldn’t). That said, this is a subjective test that will need to be documented and made available to the relevant authorities if needs be.
So, is using legitimate interest an easier route than consent? Maybe not. Is it an important alternative when consent is not possible and to ensure you stay on the right side of GDPR? Definitely.
In the meantime, while we wait for ICO to release its official legitimate interest guidance (which will likely be early next year), I’d recommend the Data Protection Network, which has a handy Legitimate Interest Assessment template to give you an idea of the requirements.