GDPR: Are ‘legitimate interests’ a carte blanche to carry on regardless?

As the new GDPR legislation rolls into action today, many marketeers are now looking to ‘legitimate interests’ to justify their comms activity - but whilst this clause offers the most flexibility to use people’s personal data for marketing purposes it cannot always be assumed it is an appropriate way to justify your communications.

The law states that legitimate interests can be ‘your own interests or the interests of third parties and can include commercial interests, individual interests or broader societal benefits’. However the Information Commissioner's Office (ICO) says that if you choose to rely on legitimate interests, you take on extra responsibility for ensuring people’s rights and interests are fully considered and protected. The ICO also states that for direct marketing purposes, the right to object is absolute and you must stop with the communications if someone requests it.

Is my comms covered by legitimate interest?

To make answering this question easier the ICO advises that businesses apply a three-part test:

1. Purpose test: are you pursuing a legitimate interest?
2. Necessity test: is the processing necessary for that purpose?
3. Balancing test: do the individual’s interests override the legitimate interest?

The ICO also recommends that businesses document the outcome of each assessment, this will make the process of demonstrating that legitimate interests apply much simpler if required to do so. This assessment is referred to by the ICO as an LIA (Legitimate Interests Assessment) and whilst these documents have no formal structure the ICO has created a template to support this best practice.

• ICO: Guide to the General Data Protection Regulation (GDPR)

In summary there is no definitive answer as to whether legitimate interest will give you solid enough legal grounds for communicating with someone, however if the use of people’s data has been done in a way that is proportionate, there is minimal privacy impact and the recipients are unlikely to be surprised by your reason for contacting them, then you are likely to have a strong enough case.

The recommended three tests will give you a good sense of the case you have and if these provide significant enough doubt it is safer to look at other ways to market your message.

Have your say!

We want to hear your views on GDPR - Have you received all the guidance you need to help your business comply?

Related articles

• Entanet Opinion: GDPR: Friend or Foe?
• Entanet Opinion: 5 Common misconceptions about GDPR
• Entanet Opinion: How will the GDPR and ePrivacy Directive affect your marketing?
• Entanet Opinion: Do the proposed IPA changes go far enough?
• Entanet Opinion: New Data Protection Bill & IPA – A match made in hell
• Entanet Opinion: How can the Investigatory Powers Act ever co-exist with the EU?

Further information:

• ICO: Guide to the General Data Protection Regulation (GDPR)
• Essential retail: GDPR: Consent vs. legitimate interest – what's the answer?
• The Guardian: Most GDPR emails unnecessary and some illegal, say experts