GDPR – Can I use Legitimate Interests, or do I require consent?
Businesses are asking us whether they need consent due to GDPR or can they use legitimate interests when processing their data? This is a topic which is leading to confusion and can potentially lead to some businesses operating in activity which could end in disaster.
This article from the institute of direct and digital marketing is the best blog we have read online and this is something that Business Data Prospects completely agree with.
Frequent questions are revolving around the re-consent of data and usually involve the best way of getting around this problem. However, you don’t necessarily need to do that, it definitely shouldn’t be seen as a problem. For over a year now, we have been publishing documents about seeing GDPR in a positive light. GDPR is not all about consent, it is more about processing and making sure that you are on the right lines of a legal basis and making sure you are meeting the needs of the basis.
Another question is that if we reconsent our whole database, will we become GDPR compliant?
Yes, true, you will become GDPR compliant, however during this you are likely to lose the large majority of your database, a large percentage of your revenue, and then only have consent to be able to send out marketing communications. We have seen hundreds of companies asking us (another business) to consent to their marketing, even businesses that we have never dealt with. People think they have no other choice than to reconsent their whole database, however there are other options to remain GDPR compliant.
The likelihood is that you are wanting to do more than just send out marketing communications, and you are wanting to proceed with processing such as;
- Link clicks and webpages visited
This list is the processing which GDPR covers. It is the activity which you are likely to be undertaking in a business-to-business scenario using legitimate interests, under the Data Protection Act 1998. The confusion is more stemming from electronic marketing such as emails, SMS and social media’s, under the Privacy and Electronic Communications Regulations 2003 (PECR), this law is not due to change for the next 12-24 months.
However, you still do have some work to do, don’t just sit back and relax thinking there is nothing for you to do. The two legal basis’ for processing that are likely to be of interest to marketers are ‘consent’ and ‘legitimate interests’. In most situations, ‘legitimate interest’ will be most suitable and under certain circumstances ‘consent’ may be required for marketing and data processing. The choice of the basis is very important as choosing the wrong basis will cause you to find it difficult to meet the needs of that basis.
Unfortunately, both sides are subjective choice as you are either balancing the rights and freedoms of the individual, or deciding on how much information determines if it is informed. How specific does it need to, to be specific? It is not all plain sailing, it does require some work to determine what needs to be done by you to get it right. Question yourself why you process data for direct marketing.
Consider the different types of processing that you do.
Is the processing ‘necessary’ for carrying out direct marketing properly?
Is the customer going to within reason, expect you to use their data in the way you are using it?
Is it relevant to the relationship you have with them?
If this is the case then it is likely that ‘legitimate interests’ could be the way for you to go. This is not an exact list of requirements, so you will need to go through a proper and thorough impact assessment to find out if you can use ‘legitimate interest’.
The Data Protection Network (DPN) has kindly produced some quality content and guidance on legitimate interest, including a template to help you with the legitimate interest assessment. To sum it up;
- Figure out what data you have, and what you are using, and can use it for.
- Apply the test using the template in the DPN guide.
- Make your decision, can you justify using legitimate interest, or will it require consent?
Making the right choice is based on need. If consent is the best way to go, then this should be because your use of the data presents a risk to the rights and freedoms of the individual. If this isn’t the case and your legitimate interest assessment says to use legitimate interest, then you can use it.
There is no need to put your business through unnecessary pain and stress and customers through unnecessary inconvenience if you don’t need to.
If you are still unsure and want more GDPR resources, here are some useful links;
If you have any questions or want to make an enquiry, please contact us by calling the number above or fill out our contact form to request a call back.