If you, like us have been preparing for GDPR for a number of months, it was with mixed emotions that the long-awaited guidance from the ICO regarding Legitimate Interest arrived last month. Rather shyly, given the amount of noise there is around GDPR, the Commissioners Office has fully populated its Legitimate Interest pages so that there are now clearer specifics and useful examples for business around implementation.
Paul Snell of B2B Marketing has done a useful job in the post below of summarising some of the key points that the guidance elucidates for those seeking compliance certainty.
In short, there is a reiteration of the need - when applying Legitimate Interest as your lawful basis for data processing - to undertake the three point test that we've heard about elsewhere: purpose, necessity, balance. But helpfully there's more detail on what businesses will be expected to demonstrate under each of the areas of the test.
For instance (and potentially somewhat surprisingly), the ICO says that "Because the term ‘legitimate interest’ is broad, the interests do not have to be very compelling" [goodness!]. However, the purpose that you stipulate does have to be clearly and specific - don't think you can simply use "marketing" as a catch all rationale for processing data going forward. Yet, if you specify that you are looking to generate more sales from an existing customer base, that would be an appropriate use of "legitimate interest".
To balance this interest you would then have to consider the impact on the individual (whose data you are processing), using tests such as:
- Whether people would expect you to use their details in this way;
- The potential nuisance factor of unwanted marketing messages; and
- The effect your chosen method and frequency of communication might have on more vulnerable individuals.
Lastly, Paul Snell highlights a glimmer of compliance hope for B2B marketers from the ICO. Whilst it is clear from the enforcement body that GDPR does very much apply to B2B organisations just as for consumer-facing peers and "Legitimate Interest" tests will need to be observed, the ICO also states: “Business contacts are more likely to reasonably expect the processing of their personal data in a business context, and the processing is less likely to have a significant impact on them personally.”
Not a get-out-of-jail-free card by any stretch, but a feeling that - for those B2B businessses that have a more content-focused, non-salesy and transparent approach to how they market themselves to prospects - our activities will likely be seen as both legitimate and reasonable in GDPR eyes.
The ICO cautions that although GDPR specifically cites direct marketing, that only means it may – and not always – be a legitimate interest. You still need to run the necessity and balancing tests. And, if the e-privacy regulation requires consent for some marketing communications, it will be the GDPR level of consent that’s needed and legitimate interests will not apply. And what of B2B marketing? Finally, there is some clarification around this crucial area of contention – and the answer is yes from the ICO. You will still need to apply the test, but as the ICO says: “Business contacts are more likely to reasonably expect the processing of their personal data in a business context, and the processing is less likely to have a significant impact on them personally.”