Senior Consultant Pulse Cyber Security
Blogger
Share this content

Legitimate Interest or Consent?

9th May 2018
Senior Consultant Pulse Cyber Security
Blogger
Share this content

Legitimate Interest or Consent?

The absolute need to gain Consent (and to apply that as the only possible lawful basis, through which personal data can be processed) is the greatest GDPR myth of all. Even with less than 2 weeks to go to May 25th, this remains the case – and practices remain focussed (and panicked) on identifying how to go about gaining Consent. In fact, Legitimate Interest would be a perfectly valid lawful basis in many instances, and Consent does not need to be obtained.

As Elizabeth Denham (Information Commissioner) herself has quoted, “Headlines about consent often lack context or understanding about all the different lawful bases businesses and organisations will have for processing personal information under the GDPR.”. Unfortunately already twice this week I`ve observed professional commentators falling into the same trap, with Legitimate Interest overlooked as a valid lawful basis for the processing of personal data.

In general the accuracy of information around GDPR via social media, blogs and articles is mixed at best, so I would urge anyone with any concerns or questions about their compliance journey – to make the ICO website a familiar port of call.

Legitimate Interest or Consent? Well, firstly we must consider the nature of the data subject and the processing of the personal data. Is it B2B or B2C? The difference is significant within the GDPR.

B2B (Business to Business): If your product or service is of relevance to the recipient professionally, then you can market to them without opt-in consent for particular channels, like email and text

However, an opt-out option must be used. This applies only when marketing to corporates; limited companies, LLPs, partnerships in Scotland and government departments. Legitimate Interest is a valid lawful basis, as long as a 14 point LIA is conducted for each data subject and that a 3-point balancing test is carried out. The key message here being the need to ensure (in every instance) that the rights, freedoms and interests of the data subject are not outweighed by those of the data controller. In addition it is essential to always provide a clear, transparent and easy to use “Opt-Out” option for the data subject, when applying Legitimate Interest as your lawful basis.

B2C (Business to Consumer): Opt-in consent is required with all the consent rules applying. Once marketers have received a subject’s consent to process their data, they may use other personal data such as the subject’s purchase history or location to tailor their marketing as long as they can prove it’s of legitimate interest to the subject. This applies when marketing to sole traders or partnerships.

This is further reinforced by the Direct Marketing Association (DMA), who have clearly stated that B2B marketing activities can apply legitimate interest as the legal basis for electronic marketing, because PECR does not apply.

Good luck over the next 2 weeks as May 25th closes in, I`m happy to help with questions or to debate elements of the GDPR that may be concerning or confusing you.

Richard

Replies (3)

Please login or register to join the discussion.

Neil Armitage
By Neil Armitage
11th May 2018 08:37

Very much agree Richard.

The May reconsenting madness is more annoying than the usual levels of spam & promotional emails, meaning I am actually more likely to ignore the consent request, even if the content may normally be of interest to me.

Thanks (0)
Red Leader
By Red Leader
11th May 2018 16:08

For practices with "Consumer" clients (as opposed to prospects), what can you communicate to them without them opting in?

Thanks (0)
Replying to Red Leader:
a
By RichardPulseCyber
11th May 2018 16:13

If the data subject is an existing client, it is safe to suggest that there would be a legitimate interest and that can be applied as a lawful basis for processing the data. Remember, there still needs to be an option to "Opt Out" when relying on legitimate interest.

Thanks (1)