A 4-Step Legitimate Interests Strategy For GDPR Compliance
If you’re not worried about the 25th of May 2018 - deadline day for the impending GDPR regulations - it means either your GDPR processes are fully in place OR you’re asking for trouble.
You’ll know what GDPR is by now, but like two thirds of global businesses, you still might not be ready for it. With the clock ticking, you need to get a handle on compliance, fast.
Our objective is to provide a clear action plan for B2B businesses who are planning on using legitimate interests as their legal bases for direct marketing consent - which means most B2B businesses. It's not enough to say you have a legitimate interest in processing your clients’ and customers’ data: there are specific actions that you must take to ensure you are GDPR compliant.
- You may like: Cut through the noise: The only GDPR checklists you need
The GDPR provides six legal bases on which to process personal data:
- CONSENT – the individual has explicitly given their Consent to the processing of their Personal Data.
- CONTRACTUAL – processing of Personal Data is necessary for the performance of a contract to which the individual is a party or for the Controller to take pre-contractual steps at the request of the individual.
- LEGAL OBLIGATION – processing of Personal Data is necessary for compliance with a legal obligation to which the Controller is subject.
- VITAL INTERESTS – processing of Personal Data is necessary to protect the vital interest of the individual or of another individual.
- PUBLIC TASK – processing of Personal Data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
- LEGITIMATE INTERESTS – processing is necessary under the Legitimate Interests of the Controller or Third Party, unless these interests are overridden
Two of those can be used as a legal basis for one-to-one marketing: consent and legitimate interest.
Consent is an objective legal concept and, ultimately, not hard to demonstrate. Legitimate interest is subjective: it’s a matter of balancing your business’ right to market with your customers’ and clients’ right to privacy.
As a benchmark, the DMA recommends offering a clear opt out to customers and clients and a compelling case for why someone would be interested in your goods and services. Recital 47 of the GDPR legislation specifically singles out direct marketing use as an example of legitimate interest, provided that these criteria are met.
Legitimate interest is not a catch-all term that can justify collecting whatever data you like for whatever purposes you like. It’s something you have to demonstrate through direct action and reportage on every aspect of your marketing activity.
Four point plan
- The first thing to do, as with most things in GDPR, is a full audit of the data you currently store and process for marketing processes. You should ask yourself whether the data is necessary, and whether the data subject can reasonably expect you to use the data in this way.
- Once you’re happy that you are only processing data that is necessary for direct marketing, then you should carry out a Legitimate Interests Assessment (LIA). The LIA is a three stage process:
Identify a legitimate interest. What is the purpose for processing data to serve this interest, and why is it important to you? Both purpose and reason need to be clearly articulated and communicated to the people whose data you’ll process, even if they seem obvious.
Test for necessity. Do you need the data in order to achieve your stated purpose? The easiest way, according to the DPN, is to simply ask, “Is there another way of achieving the identified interest?” If there isn’t - or if it would be far more work - the data is necessary.
Test for balancing. Does your right to market outweigh your customers’ and clients’ individual right to privacy? The key concept here is ‘reasonable expectation’ - do people expect the data to be processed? If they want to know about your products and services, they need to provide a means of contact - but they don’t need to disclose their date of birth and gender identity to sign up for an email newsletter.
Once the LIA is complete, you’ll need to sign, record and store it. This guide from the DPN on legitimate interests covers the process in much more detail, and includes a LIA template.
- Update your privacy notice. Your privacy notice should clearly explain the legal bases you use for consent, how you obtain data, what it is used for and why. The DMA has provided guidance on how to write a compliant privacy notice.
EasyJet’s privacy promise is a solid example of best practice. It’s simple, it’s clear, it couples a video and a written explanation, and it’s structured around areas of user concern: their safety, the benefits they’ll receive, and the control they have.
This basic approach will serve you well, but a basic approach is all it is. GDPR is a complex subject, and by its very nature, the LIA process involves thinking more deeply about your business and its operations than is par for the course.
We advise you to read up before you start assessing your policies and practices. The DMA provides an overview of GDPR for marketers, along with insight into legitimate interest and the assessment process, and writing a GDPR-compliant privacy notice.
For the full picture - including an example LIA record and deep discussion of the process involved - consult the DPN/DMA joint guidebook.