The General Data Protection Regulation (GDPR) redefines how we as marketers will do our jobs. One of the biggest changes that will affect each and every one of us is the battle of consent vs legitimate interest.
The new regulation goes a huge leap further than the previous Data Protection Act. It ensures that each act of processing for personal data requires consent unless there is legitimate interest. But what is legitimate interest and when can I use it I hear you ask?
Let’s break it down.
What does GDPR define?
GDPR outlines that you need to have a lawful basis for processing. But what does this really mean?
- Your processing of the data must be necessary.
This means that if you can achieve the same goal without processing then you shouldn’t. That would be unlawful.
- Your lawful basis must be defined before you begin processing.
There is no place for “do it now and apologise later” with GDPR. As a marketer it is your responsibility to structure your campaigns in such a way that this is clear from the outset.
- Your privacy notice should include your lawful basis for processing.
Every contact that you hold information on should be able to be able to easily access your privacy notice that showcases what your lawful basis is for holding and processing their information.
- If your purpose changes you may be able to use initial basis for processing.
This is quite good to note for marketers. It means that provided the new purpose is “compatible with your initial purpose” your will still be able to process your contacts personal data without consent.
- If your processing special category changes it is up to you to identify why it is lawful to process.
Special category data in a nutshell is information that is more sensitive than the rest. Because it is more sensitive it will require more protection. Examples of this would be race, ethnic origin, politics, religion, health, sex life or sexual orientation. Not protecting this type of information correctly means that you are putting your contacts under risk of unlawful discrimination and that is the last thing that you want. This is why it is important to have a lawful reason for processing it.
- Like special category data, you have to identify why it is lawful to process information about criminal convictions or data about offences.
Similarly to the special category with GDPR it is now the law that you take care and have a lawful reason for processing information on criminal offences. If not, and something goes wrong, you will be ruining a reputation and causing distress unlawfully.
So GDPR outlines how you should be processing your contacts information. Essentially, in order to process it the regulation hands back control to the contact. They must have full control of how you use and process their information. This means that consent is going to play a big role in the future.
What is consent?
GDPR defines consent as, “any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed.”
While in the past marketers have relied on pre-ticked boxes, perhaps only once in the lifetime of a contact, under the General Data Protection Regulation, this is no longer legal.
Contacts must make a conscious decision to allow you to process their information. And what makes this a little more intense for marketers is that GDPR works retrospectively as well. This means that all of the contacts that have opted in via the previously lawful method of pre-ticked boxes now ALL need to be opted back in.
What is legitimate interest?
Despite how it seems, consent is not the be all and end all when it comes to GDPR. Legitimate interest can come into play.
Under article 6(1)(f) legitimate interest gives you lawful basis for processing legitimate interest is where:
“Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data in particular where the data subject is a child”.
So basically, will your contacts actually be interested in what you have to say.
This means are need to outline if this information is being processed with the contact’s best interest in mind? Is it absolutely necessary to do so in order to get the desired outcome and will the contacts interests override your objectives for processing?
If as a marketer, you decide that legitimate interest is the route in which you are going down, you are going to need to back it up and document it. This is your responsibility to make sure that your contacts rights are protected. Your contacts must expect what you are doing with the information upon you gaining their information in order for it to be justified and lawful.
So how do you know which one to use?
This is the million dollar question and relies completely on your scenario. It will require planning and strategic thinking on your part.
Before you process any data it is important that you follow a number of steps:
- You should begin by mapping out which parts of your marketing falls into the consent category and which falls into the legitimate interest category. This should be documented and every member of your team should be aware of the outcome so that it becomes obvious what your new common practice is.
- For your legitimate interest category you should do a legitimate interest assessment. This involves a risk assessment and will keep you on the right side of the law. This assessment includes identifying the legitimate interest, answering whether or not processing is necessary and balancing out whether the contacts interests outweigh yours.
- You should update your privacy notices. Within your privacy notices is your opportunity to be completely open and transparent about how you use personal data. This should outline clearly why you have chosen your methods of marketing and should clearly define why any legitimate interest has been chosen.
It is important as marketers that we take the General Data Protection Regulation seriously. This directive will define how the new age of marketing will work. In preparing for GDPR it will always take longer than you think so it is vital that you start strategising as soon as possible.
For more information on GDPR for marketers feel free to drop me an email at email@example.com
This guide is not legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand the GDPR. This information is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy.
In a nutshell, you may not rely on this as legal advice, or as a recommendation of any particular legal understanding.