GDPR: ICO publishes new guidance on legitimate interests – what you need to know
The Information Commissioner’s Office has (finally) published detailed guidance on the use of legitimate interest as a legal ground to process data under the GDPR. Paul Snell takes a look at what it means for B2B marketers
In the past 12 months or so that I’ve been covering GDPR, there’s been a big shift in B2B circles from concern around driving consent to a focus on legitimate interest as the legal ground to pursue for marketing purposes.
It’s understandable marketers are looking for an alternative to the complex and restrictive conditions under consent. After all, the GDPR says “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest” – and even the ICO has said previously: “If consent is too difficult, look at whether another lawful basis is more appropriate.”
Last week the ICO sneaked out new, detailed guidance on the use of legitimate interest as a legal ground, and I’ve done my best to quickly summarise the key points marketers need to be aware of. But I would urge all those grappling with GDPR to take a look at the guidance in detail, as although we’ve been kept waiting, it provides vital insight for compliance.
Legitimate interest already exists under the Data Protection Act, and the ICO suggests the GDPR is not a huge departure. The three necessary elements – a legitimate interest, a necessity test, and balancing against the rights of the individual – remain. What GDPR has changed is the need to document your assessment and justify your decision, and tell individuals what your legitimate interest is. It adds if you currently process data on the basis of consent, and you don’t meet the GDPR standard yet, you could swap to legitimate interest.
The three-part test
The ICO has clarified the expectations around using legitimate interest as a basis for processing personal information. It breaks down the test to cover:
- Purpose test – is there a legitimate interest behind the processing?
- Necessity test – is the processing necessary for that purpose?
- Balancing test – is the legitimate interest overridden by the individual’s interests, rights or freedoms?
Defining a legitimate interest
The guidance gives succour in saying that “the interests do not have to be very compelling”, but that “you (or a third party) must have some clear and specific benefit or outcome in mind. It is not enough to rely on vague or generic business interests”.
It’s not enough to say you have a legitimate interest in processing customer data, a more specific statement is required. An example provided by the ICO reads: “We have a legitimate interest in marketing our goods to existing customers to increase sales.”
However, it adds to not forget about the word ‘legitimate’. Even though marketing is legitimate, “sending spam in breach of electronic marketing rules is not legitimate”. Something to consider as we continue to wait for the final revision of the new European e-privacy directive.
The ICO also points out that the need for processing to be ‘necessary’ doesn’t mean ‘essential’, but it must be a targeted and proportional way of achieving your objective.
Part of the balancing test is whether individuals would “reasonably expect” their data to be processed. The factors that might affect this could include:
- What you tell them in your privacy statement
- The relationship you have with them, and its nature
- When you collected their data
- Where you got it from
- If you’re using new technology or processing their data in a way the subject would not anticipate.
Even if the impact on the data subject is negative, that doesn’t necessarily rule out the processing – you just need to weigh that balance more carefully.
"Business contacts are more likely to reasonably expect the processing of their personal data in a business context, and the processing is less likely to have a significant impact on them personally.”
Legitimate interests and marketing
The ICO cautions that although GDPR specifically cites direct marketing, that only means it may – and not always – be a legitimate interest. You still need to run the necessity and balancing tests. It suggests the following considerations as part of the balancing test:
- Whether people would expect you to use their details in this way;
- The potential nuisance factor of unwanted marketing messages; and
- The effect your chosen method and frequency of communication might have on more vulnerable individuals.
But, it states: “as long as the marketing is carried out in compliance with e-privacy laws and other legal and industry standards, in most cases it is likely that direct marketing is a legitimate interest.”
There is though, a huge caveat. If the e-privacy regulation requires consent for some marketing communications, it will be the GDPR level of consent that’s needed and legitimate interests will not apply.
Do these legitimate interests apply to B2B? Finally, there is some clarification around this crucial area of contention – and the answer is yes from the ICO. You will still need to apply the test, but as the ICO says: “Business contacts are more likely to reasonably expect the processing of their personal data in a business context, and the processing is less likely to have a significant impact on them personally.”
What do you need to do to apply legitimate interest?
As with much of GDPR, it’s the documentation and process that are key. Even though the GDPR does not specify the need for you to record your legitimate interest assessment (or even carry one out), “it is difficult to meet your obligations under the accountability principle without it”.
The new guidance outlines the full process including questions to ask, examples to follow, and a sample template document. If you’re going down the legitimate interests route, it’s vital you consult this guidance.
What to include in your privacy statement
- What the purpose of processing personal data is
- That you’re relying on legitimate interests as your legal ground, and
- Summarise what the relevant legitimate interests are.
Far from signalling the end of marketing, GDPR should be seen as an opportunity to rethink your marketing strategy and reposition the function as a source of genuine competitive advantage.