By the end of this year, the ICO plans to provide guidance on the “legitimate interest” provisions of the GDPR. By legitimate interest we mean certain cases where organisations rely on claiming they have a legitimate interest in processing the data they collect: eg, when making live telephone calls or sending communications by post.
The ICO says it will publish guidance to explain exactly when legitimate interest can be used to justify contacting someone or processing their data. In the meantime, let’s take a look at the difference between legitimate interest and consent – and how this works with invisible processing.
Legitimate interest As An Option
As a business, legitimate interest may well seem the better option for you, or at least for a good percentage of yoir own data. But there will be tests that you need to be able to fulfil, such as being specific about the exact purposes of processing, and because of this we suggest that you continue to check back with the DMA to get updated privacy notices.
If consent such as the potential risks to 3rd party data are going to continue to marginalise the industry, then innovation from smaller businesses and even new service streams from existing brands will struggle to take flight; since they will not be able to reach a sufficiently wide audience.
Also, legitimate interest used for legacy data post May 2018 would be deemed as a reasonable expectation – providing you have been marketing to them up to that point under the current stipulations of the DPA (i.e. that they can opt out of marketing emails).
Using this method comes with its own conditions. You need to:
- Tell the prospect that you are doing this
- Give them the specific option to opt out
Consent v Legitimate Interest
There is nothing to say you have to do one or the other. It is perfectly OK to have one part of your database opted in by consent, and the other part marketed to on the basis of legitimate interest.
A good divide would be to have all new contacts opted in after May 2018, but any legacy data could be used on grounds of legitimate interest as it has already been marketed to.
This refers for example to the collection of social data which is then added to an existing contact record, for a person who has already opted in. Again, the ICO are only just providing guidance on this. As a data controller you need to:
- Specify that you intend to proactively search for social data and name the channels – eg LinkedIn, WhatsApp, Xing, Twitter, Facebook etc.
- If a new social media channel comes into play, you will have to send out a notification to our entire database advising that you are adding in the new channel and giving people the option to opt out again (if using legitimate interest). If using consent then currently it is unclear if the contact would need to be opted in again, or whether notification of the change plus an option to change their opt in status or preferences would be sufficient.
To ensure your legitimate interest claim is enough to justify processing your customer data in the eyes of the law, contact us today.
And if you like what you’ve seen so far from IZEN, now’s your chance to make sure you never miss out. Opt in to receive bite-size blogs, video guides, partner success stories, and slick infographics on account based marketing, data management, and revenue generation. Not to mention the hottest industry updates, as well as what’s going on behind the scenes here at IZEN.