GDPR - Legitimate Interest Guidance
The ICO have published their long-awaited legitimate interest guidance.
Many marketers have pinned their hopes upon legitimate interest as how they will justify their marketing activity under the GDPR.
However, until now there had been no guidance from the Information Commissioner’s Office (ICO) and this lack of guidance had created uncertainty for businesses.
Industry had created their own guidance, produced by the Data Protection Network, working with the DMA and others.
However, the ICO have now published their own legitimate interest guidance.
The ICO’s guidance largely covers the same ground. It identifies that legitimate interest is not a new concept, in fact it exists in the Data Protection Act 1998. Marketers aren’t use to the terminology but they have relied on it already.
The ICO clarify that legitimate interest is comprised of three key elements:
A legitimate interest: the legal ground could potentially cover many different processing activities but for DMA members, the legitimate interest will be direct marketing.
A necessity test: an organisation should assess whether legitimate interest is the correct legal ground and whether the processing of personal data is necessary. The processing of personal data is necessary for a direct marketing campaign.
A balance with individuals’ interests, rights and freedoms: an organisation must not impinge an individual’s rights and this means carrying out a balancing test to identify privacy risks and assess whether legitimate interest is valid in a particular instance.
The ICO make the point, that what is actually new are the accountability and transparency requirements of GDPR.
Regarding the accountability principle, the guidance says: “Under the new accountability principle you need to be able to show that you have a lawful basis for each processing operation. If you are relying on legitimate interests, you need to document your assessment of how it applies to the particular processing, and ensure that you can justify your decision if necessary.”
Hence, conducting a legitimate interest assessment (LIA) is necessary in order to work out whether the legal ground is appropriate in the first place but also to evidence your decision-making.
The guidance emphasises this point: “This means it is not be sufficient for you to simply decide that it’s in your legitimate interests and start processing the data. You must be able to satisfy all three parts of the test prior to commencing your processing.”
Crucially, the guidance points out that direct marketing is recognised as a legitimate interest. However, just carrying out direct marketing is not enough, you must identify your precise purpose, show that the use case is legitimate in a specific instance and isn’t contrary to the Privacy and Electronic Communications Regulations (PECR). PECR requires marketers to ask for consent in certain circumstances. See the ICO PECR guide.
The guidance highlights that the interests of an individual could override an organisations legitimate interests.
Marketers must consider whether their marketing would be reasonably expected by an individual. If the answer is no then this adds weight against the case for using legitimate interest as a the most appropriate legal ground.
For example, an IT software company could argue that IT Directors would reasonably expect to receive marketing emails relating IT software products. They are responsible for purchasing software products for their company and therefore have in interest in receiving offers about products that might create efficiencies, for example.
The ICO give a fundraising example to demonstrate how legitimate interest could work in a marketing context.
The Charity example:
“A charity wants to send fundraising material by post to individuals who have donated to them in the past but have not previously objected to receiving marketing material from them.
“The charity’s purpose of direct marketing to seek funds to further its cause is a legitimate interest.
“The charity then looks at whether sending the mailing is necessary for its fundraising purpose. It decides that it is necessary to process contact details for this purpose, and that the mailing is a proportionate way of approaching individuals for donations.
“The charity considers the balancing test and takes into account that the nature of the data being processed is names and addresses only, and that it would be reasonable for these individuals to expect that they may receive marketing material by post given their previous relationship.
“The charity determines that the impact of a fundraising mailing on these individuals is likely to be minimal however it includes details in the mailing (and each subsequent one) about how individuals can opt out of receiving postal marketing in future.”
The guidance includes a useful table indicating where legitimate interest is likely to be an appropriate legal ground. For example, the guidance states that legitimate interest may be appropriate in the following circumstances:
‘Live’ phone calls where there is no TPS/CTPS registration or objection
Emails/text messages to individuals – obtained using ‘soft opt-in’
Emails/text messages to business contacts
While, legitimate interest is unlikely to be appropriate in the following:
‘Live’ phone calls to TPS/CPTS registered numbers
‘Live’ phone calls to those who have objected to your calls
Automated phone calls
Emails/text messages to individuals – without ‘soft opt-in’
The guidance goes into detail examining the various different aspects of legitimate interest and explains how organisations can assess whether their legitimate interest is valid or not.
Read the full guidance here.