What is legitimate interest and when can you use it for processing data?
In our previous blog we tried to dispel the myth that consent would always be needed for all types of marketing. With GDPR now enforced we wanted to provide more tips on legitimate interest as a ‘lawful basis’ for processing data. Direct marketing can be a legitimate interest, so there is no reason to panic! However, this is not simply a Get Out of Jail Free card allowing you to use data anyway you want.
So, what is the ‘legitimate interests’ basis?
Article 6(1)(f) gives you a lawful basis for processing where:
“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.”
So – setting aside the legal jargon, what does this mean in practise? It means that if you want to use legitimate interests as grounds for your direct marketing you should be able to show that you’ve considered the rights of the data subjects, and whether your legitimate interests outweigh (on balance!) the rights of the individual’s whose data you are using.
The ICO’s guidelines suggest carrying out and documenting the following steps:
- Purpose test: are you pursuing a legitimate interest?
- Necessity test: is the processing necessary for that purpose?
- Balancing test: do the individual’s interests override the legitimate interest?
The first step really is common sense – to ask yourself if what you are pursuing is a legitimate interest. The positive is that direct marketing is explicitly recognised as a legitimate interest, but this doesn’t mean ALL direct marketing is a legitimate interest! For example, if your marketing doesn’t comply with other legal or ethical standards it wouldn’t be considered a legitimate interest. So bad news for those mis-selling insurance or flogging sub-standard double glazing!
Ultimately, the processing must be necessary to achieve your legitimate interest – if you can accomplish the same outcome without using the personal data then you don’t have grounds for using the data. Again, you can think of this as in common sense terms – we’ve all filled out web forms which we think are far too intrusive in terms of the level of information they ask for. You should think about what personal data (if any!) is truly essential for the direct marketing activity, and only gather that.
The last of the three tests is the balancing test – do your legitimate interests outweigh the rights of the individuals whose data you are using? If you’re using data in a non-intrusive way, or in a way which people would reasonably expect, then this may be the case. Proportionality is key here – bombarding individuals with calls or contacting them in the middle of the night would clearly be unreasonable. For B2B marketing, calling them at work about a product or service relevant to their job role however is a lot more appropriate! So, if you’re already thinking about your customers and prospects interests and marketing to them sensitively and respectfully you’re already heading in the direction of GDPR compliancy!
The Right to Object
For direct marketing the individual has the right to object which means processing of their data for marketing purposes must immediately stop. For telemarketing you must suppress your data against the TPS and CTPS registers. You must also keep your own record of anyone who has asked you to stop marketing to them. With email marketing, you should always provide an unsubscribe link and ensure that those that do unsubscribe are not re-contacted (however, there are slightly tighter rules for sole traders and consumers when it comes to email marketing – we’ll be publishing more on this soon!)
So – don’t stress that consent is the only way forwards for your marketing, particularly for B2B marketing. But if you are thinking of using legitimate interests as the basis for your marketing don’t think this means that anything goes! Carry out the above process and don’t forget to document your decisions on legitimate interests – this all helps to show your compliance with GDPR.
Please note this article is intended for guidance only and is not intended as legal advice