Legitimate Interest or Consent?
Legitimate Interest or Consent?
The absolute need to gain Consent (and to apply that as the only possible lawful basis, through which personal data can be processed) is the greatest GDPR myth of all. Even with less than 2 weeks to go to May 25th, this remains the case – and practices remain focussed (and panicked) on identifying how to go about gaining Consent. In fact, Legitimate Interest would be a perfectly valid lawful basis in many instances, and Consent does not need to be obtained.
As Elizabeth Denham (Information Commissioner) herself has quoted, “Headlines about consent often lack context or understanding about all the different lawful bases businesses and organisations will have for processing personal information under the GDPR.”. Unfortunately already twice this week I`ve observed professional commentators falling into the same trap, with Legitimate Interest overlooked as a valid lawful basis for the processing of personal data.
In general the accuracy of information around GDPR via social media, blogs and articles is mixed at best, so I would urge anyone with any concerns or questions about their compliance journey – to make the ICO website a familiar port of call.
Legitimate Interest or Consent? Well, firstly we must consider the nature of the data subject and the processing of the personal data. Is it B2B or B2C? The difference is significant within the GDPR.
B2B (Business to Business): If your product or service is of relevance to the recipient professionally, then you can market to them without opt-in consent for particular channels, like email and text
However, an opt-out option must be used. This applies only when marketing to corporates; limited companies, LLPs, partnerships in Scotland and government departments. Legitimate Interest is a valid lawful basis, as long as a 14 point LIA is conducted for each data subject and that a 3-point balancing test is carried out. The key message here being the need to ensure (in every instance) that the rights, freedoms and interests of the data subject are not outweighed by those of the data controller. In addition it is essential to always provide a clear, transparent and easy to use “Opt-Out” option for the data subject, when applying Legitimate Interest as your lawful basis.
B2C (Business to Consumer): Opt-in consent is required with all the consent rules applying. Once marketers have received a subject’s consent to process their data, they may use other personal data such as the subject’s purchase history or location to tailor their marketing as long as they can prove it’s of legitimate interest to the subject. This applies when marketing to sole traders or partnerships.
This is further reinforced by the Direct Marketing Association (DMA), who have clearly stated that B2B marketing activities can apply legitimate interest as the legal basis for electronic marketing, because PECR does not apply.
Good luck over the next 2 weeks as May 25th closes in, I`m happy to help with questions or to debate elements of the GDPR that may be concerning or confusing you.
You might also be interested in
Operations Manager with FibreCRM
Experienced business professional with 25 years experience of end-to-end leadership and management in sectors such as Food Manufacturing, Business & Training Support, Information Technology and Software Development.
Skilled in GDPR Consultation, Cyber and Information...