Skip to main content

GDPR & Legitimate Interests

How Can You Continue To Use Bought-In Mailing Lists and Cold Email To Generate Sales?

GDPR Allows Six Lawful Bases For Processing Personal Data. Consent is one of the six, but Legitimate Interests is a more suitable reason for B2B sales and marketing.

Legitimate Interests is one of the six lawful bases for processing personal data under the GDPR (General Data Protection Regulation). You must have a lawful basis in order to process personal data in line with the ‘lawfulness, fairness and transparency’ principle.

Legitimate interests might be your own interests, or the interests of the third party receiving the data, or a combination of the two.

Latest guidance from the Information Commissioner says that legitimate interests may be the most appropriate basis when:

"the processing is not required by law but is of a clear benefit to you or others; there’s a limited privacy impact on the individual; the individual should reasonably expect you to use their data in that way; and you cannot, or do not want to, give the individual full upfront control (i.e. consent) or bother them with disruptive consent requests when they are unlikely to object to the processing."

Crucially for marketers, direct marketing is described in the GDPR as an activity that may indicate a legitimate interest.

However in order to be a legitimate interest, the direct marketing must be legal: as it is legal for businesses to market to individuals at other businesses by post, by email, by text and by phone (as long as the number is not registered with the CTPS), many businesses will be able to use legitimate interests as their basis for processing personal data for direct marketing purposes.

What you must do if you decide to use legitimate interests as your basis for processing personal data for direct marketing purposes?

As with much of the new Data Protection Regulation, much of the work that you need to do revolves around writing policy documents.

1. Carry out a legitimate interests assessment.
Assess each part of a three-part test, and document the outcome so that you can demonstrate that legitimate interests applies. The three tests are:

Purpose test – is there a legitimate interest behind the processing? In the case of direct marketing, yes there is a legitimate interest for your business in using direct marketing in order to promote itself.

Necessity test – is the processing necessary for that purpose? You need to demonstrate that the processing is necessary for the purposes of the legitimate interests you have identified. This doesn’t mean that it has to be absolutely essential, but it must be a targeted and proportionate way of achieving your purpose. In the case of direct marketing, yes it is necessary to use direct marketing to promote your business.

Balancing test – is the legitimate interest overridden by the individual’s interests, rights or freedoms? With regard to business-to-business marketing the Information Commissioner says: "business contacts are more likely to reasonably expect the processing of their personal data in a business context, and the processing is less likely to have a significant impact on them personally". So in the case of direct marketing and email marketing to business contacts, the legitimate interest is not overridden by the interests of the individual, who as a business person with decision making and budgetary responsibilities can reasonably expect to be contacted with marketing material relating to his or her professional role.

You must carry out these assessments and document these three tests.

Electric Marketing's Legitimate Interests Assessment is available as an example.

2. Update your privacy notice to clearly say that you are relying on legitimate interests as your lawful basis, and say what your legitimate interests are.
Electric Marketing has updated its privacy policy to show that we are relying on legitimate interests to process data.

3. Communicate that you are using legitimate interests as a reason to process personal data.

The Information Commissioner has not offered any guidance on what it would accept as sufficient communication to the data subject that you are relying on legitimate interest as a basis to process personal data, but we have noted a few emails coming in to the office with notices at the foot saying

"GDPR and this email. As a GDPR compliant company, we would like to explain why you have received this email. We believe that you have a legitimate need for office furniture within your business. From our research, or from information that you have provided, we have identified your email address: lists@electricmarketing.co.uk as being the appropriate representative to address within the organisation. We have deemed this to represent legitimate interest in line with the ICO's guidance."

While the advice on this page does not represent legal advice, you can read the Information Commissioner's guidance on legitimate interests in full on the ICO website