We recently discussed the issue of legitimate interest as it applies to GDPR, and alluded to the fact that this is one area of the legislation that marketing departments will really have to sit up and take notice of.
Of course, in holding and processing the personal data of consumers, your marketing people might argue that all the information they hold and all the processing they perform is legitimate, because in essence, their job is to promote the company or brand and would thus feel that everybody has a right to know how great it is.
They may feel that once the business has followed the guidelines for consent, they will be free to undertake their marketing efforts to any and all consumers in their database. That will no longer be the case.
Marketing in and of itself is not a good enough reason to prove legitimate interest. They will at the very least have to prove it’s reasonable to assume their interests are compelling and there is little or no impact to the individual’s rights.
Three of the six generic examples in the GDPR (in recitals 47 to 50) where a controller may have a legitimate interest, are of note for marketers.
- Direct marketing
The GDPR states: ‘The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.’
This may be where consent is not viable or preferred, though the Data Protection Network rightly stresses the fact that organisations will still need to show that there is a balance of interests – their own and those of the marketing recipient.
Of course, any individual can object to direct marketing, and it is one of the examples of legitimate interests for which objection is already pretty well understood and easy to action (often with the help of an unsubscribe link or by contacting the company in question).
- Relevant and appropriate relationship
This may be a direct appropriate relationship, for example, where the individual is a client.
- Reasonable expectations
If a controller understands individuals have reasonable expectation that their data will be processed, this may help to make a case for legitimate interests.
There are of course other legitimate reasons why your business can hold information for marketing purposes, and these include:
-
Suppression - If a user objects to direct marketing, for example, a company may need to hold very limited data, in order to ensure no more marketing is sent to this user, such as the email address of the recipient stored in a ‘Do Not Use’ file.
-
Personalisation - Assuming consent is requested and given, a business may use a consumer’s data to personalise website content in order to improve user experience.
-
Web analytics - Analytics programs on the internet and social media platforms can be used to assess visitor numbers, page views, likes, followers, etc, in order to improve or dictate future marketing campaigns. We won’t lie – this is a complicated area and whether it goes beyond cookie consent remains to be seen.
So, what can your business do to make sure your marketing department stays within these lines and is compliant with GDPR? There are three main steps.
- Update the privacy policy to clearly inform consumers that their details may be used for marketing purposes
The GDPR demands that all organisations provide clear and transparent information to individuals about data collected, how it is used, and why. If you don’t explain clearly that you track visits to your site, then you can’t track visits to your site. If you don’t state that downloading information from your site will lead to being sent marketing material, then you can’t send people marketing material. You get the picture…
It must also be noted that individuals now have the right to object to the processing of their personal data (which must also be outlined in your privacy policy), and your business needs to be able to manage this, but we will come to that later.
- Carry out a Legitimate Interest Assessment (LIA)
In order to know for sure that you are covered by legitimate interest, you need to carry out an LIA that proves you have considered the necessity of processing that data and that it does not override an individual’s rights, which involves three steps:
- Identify the Legitimate Interest – know the purpose of processing the data and be able to explain why it is important to you as the data controller
- Run a Necessity Test – ask if it is actually necessary for the business to process this data, and if there is a realistic and affordable alternative
- Carry out the Balancing Test – weigh up the need to process the data against the rights of the individual as marked out by GDPR
There are factors to consider when deciding on an individual’s rights, including the nature of the interests, the impact processing will have on the individual, and the safeguards that need to be put in place to ensure that processing is secure.
- Ensure your IT set-up enables you to deal with data processing objections, right to erasure and data requests
If you are unable to confidently identify what information you have, where it is stored, how it moves through the business, and what it is used for, and use your IT infrastructure to carry out the necessary processes that make that information available to the relevant people in the case of data requests or the request to be forgotten, you may be in a spot of trouble. Unless, that is, you start taking steps towards compliance.
Given the scale of the requirements for GDPR compliance, this may not be something you can fix in time, so looking to a certified GDPR consultant for advice would be a good idea.
Offering not just IT support, but also the GDPR expertise you need, pebble.it can help you map out the key requirements you need to become compliant with this new legislation, so you can approach it with practical, provable steps.
Find out how we can help you on the road towards compliance by getting in touch, and discover what you need to focus on by downloading our GDPR-readiness checklist:
- SHARE
- Tweet