Just How Legitimate is The Interest?
Many marketers are pinning their knickers to the mast of legitimate interest to justify direct marketing activities under GDPR. It is one of the six lawful bases for data processing under The GDPR, but what does it actually mean?
With only 8 weeks to go, the ICO has (finally) published some guidance on using legitimate interest for processing personal data. Although legitimate interest is one of the 6 lawful bases, the question remains, just how legitimate is the interest?!
In the new guidance, the ICO acknowledges that legitimate interest is not a new concept. In already exists in the Data Protection Act 1998. We don't use the same terminology but we do utilise the concept.
The ICO guidance clarifies that legitimate interest is comprised of three key elements:
A legitimate interest: the legal ground could potentially cover many different processing activities, including direct marketing.
A necessity test: an organisation should assess whether legitimate interest is the correct legal ground and whether the processing of personal data is necessary e.g. for a direct marketing campaign.
A balance with individuals’ interests, rights and freedoms: an organisation must not impinge an individual’s rights and this means carrying out a balancing test to identify privacy risks and assess whether legitimate interest is a valid basis.
Where GDPR really differs from the existing DP Act legislation is in its focus on transparency and accountability.
Regarding accountability, the guidance states: “Under the new accountability principle you need to be able to show that you have a lawful basis for each processing operation. If you are relying on legitimate interests, you need to document your assessment of how it applies to the particular processing, and ensure that you can justify your decision if necessary.”
It will be crucial for organisations wishing to use legitimate interest to carry out an LIA (Legitimate Interest Assessment). It's not enough just to decide you'll use legitimate interest, you have to be able to prove whether this legal basis is appropriate.
The guidance reinforces this point: “It is not sufficient for you to simply decide that it’s in your legitimate interests and start processing the data. You must be able to satisfy all three parts of the test prior to commencing your processing.”
The good news is that the guidance recognises legitimate interest as a basis for direct marketing. But, we should also point out here that the viability of any direct marketing campaigns must also be assessed in light of PECR, which requires marketers to ask for consent in certain circumstances. Yes, the minefield is still very much live!
We should always bear in mind that the rights of the individual might override the legitimate interest basis. When assessing your legitimacy to process personal data, ask yourself the question 'could a contact reasonably expect to receive communications from my organisation?'. If the answer is no, you probably need to reconsider usage of legitimate interest as your basis for data processing.
For example, an IT hardware company could argue that IT contacts in its database could reasonably expect to receive marketing emails relating to IT products. A contact responsible for purchasing would have in interest in receiving offers about products that might create benefits or efficiencies.
Whichever basis you choose and however you decided to conduct your data processing under The GDPR, make sure you've done your homework, have your policies in place and are working within the law. If not, it could be expensive!
Read the full guidance here.