Since the GDPR splash of 2018, the marketing world has been bracing itself for a regulatory spanking.
Especially in B2B – where cold outreach and murky practice abounds – our industry has been expecting the worst. But as the first year’s tallies revealed, 2018 was a year of peace for most (except Google – who shouldered 83% of the total €55.96m tally). Maybe GDPR isn’t so scary after all?
And then, just in time to stave off complacency, regulatory watchdogs acted. After Issuing fines of £183m and £100m to British Airways and Marriott respectively, public protectors have managed to set the tone of GDPR’s anniversary.
In many ways we find ourselves back where we started in 2018. Marketers are still asking: how can we safely grow while doing good by our audience? To answer this, we’ll need to consider an overlooked GDPR basis for communication: legitimate Interest.
“Market unto others as you would have them market unto you.”
What is Legitimate Interest?
Put simply, legitimate interest is the close cousin of our old friend consent (think: opt-ins). Almost all marketers are familiar with consent by now, and understand how to use this as a basis for enabling communications – even though they lack the knowledge to do so via legitimate interest. Let’s look at why this matters, and how we can enable fair, respectful and transparent communications on the lawful basis of legitimate interest.
Before we get legit, we’ll need some context. What are the lawful bases, and how are they meant to be used?
Lawful bases are the required conditions for processing data. There are 6 exhaustive options, one of which must be used as legal grounds whenever personal information is processed. For now, pay attention to the first and the last:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
As you’d imagine, marketers only really spend their time on (a) Consent, and (f) Legitimate interests. While (b) Contract has been used in customer marketing and transactional communications – with GDPR it’s common practice to have an additional consent-based opt-in to support this. The rest, thankfully, are a far cry from our typical marketing use-case. These can be ignored for our purposes.
From the above list, a single lawful basis must apply to your use-case before any processing may take place, and it’s up to the processor to determine the most suitable for any given circumstance. This can be a tricky question, and really requires some thought to get right. Thankfully, the Information Commissioner’s Office has developed a handy tool for exactly this purpose.
As far as the customer is concerned, the outcome of legitimate interest is precisely the same as consent (as expressed by the Data and Marketing Association)
To place the customer at the heart of everything we do as marketers, by following the principles below:
- Put your customer first
- Respect privacy and meet your customer’s expectations
- Be honest, be fair, be transparent
- Exercise diligence with data
- Take responsibility, honour accountability
Or, as The Social Effect likes to put it: “Market unto others as you would have them market unto you.”
What to do
If you need to communicate with a lead or customer, and a traditional opt-in process is blocking you, it’s worth considering legitimate interest as a basis for lawful processing of data. Start by asking a few questions:
- Are you processing data with respect to your prospect / customer’s privacy? Use your common sense!
- Do you absolutely need to process their data?
- Does your prospect / customer benefit from this?
- Can you provide a record of when legitimate interest is used, and why
Finally, you should walk through each step in the ICO’s Legitimate Interest Assessment. They have a very handy template that you can complete. Although GDPR does not strictly require this, it’s a positive exercise in making sure the approach checks out.
If you’re unsure about legal grounds for processing, the Data Protection Network has a brilliant and comprehensive resource
Which of your use cases are you currently grappling with? Does legitimate interest allow you to safely process data for the good of the individual?