Nick Burrell
GDPR / 04.05
Nick Burrell

GDPR Compliance and Legitimate Interest – What’s New?

The General Data Protection Regulation (GDPR) will bring many significant changes to the way that businesses process, use and store personal data. The new regulation brings updates to the 1998 Data Protection Act, but what do we now know about GDPR that we didn’t before?

The Information Commissioner Office (ICO) has recently clarified some aspects of GDPR, notably the wording around the principle and role of legitimate interests. The three central elements of legitimate interests remain the same, and for B2B marketing, the business needs to be able to prove the following to contact an individual without consent:

  • Legitimate interest
  • A necessary test
  • A fair balance between these and the individual’s interests, rights and freedoms

It is likely in the short term at least, B2B marketers in non-public organisations in the UK will rely on legitimate interest as their primary means of processing personal data. After all, Legitimate Interest does include a commercial interest and it’s unlikely that the use of data in a business context will significantly impinge on a person’s interests, rights and freedoms. The ICO does expect that the reasoning behind using legitimate Interest to be justified, documented and enforced within the organisation and so at CleverTouch we encourage our clients to systemise their approach within their Marketing Automation platforms. This ensures that rules are clearly defined and followed reducing the chances of non-compliance.

However, there are expected updates on e-privacy laws early next year which may overrule the claim on legitimate interest, leaving marketers no longer covered.  It is consequently essential that organisations ensure that they continue to capture consent at every possible touchpoint, regardless of the ability to use legitimate interest today so they can remain transparent and accountable throughout the course of collecting, processing, and storing the data in the future.

Since legitimate interest is not always self-evident, it is important that marketers can clearly outline their assessment of how it’s applied to their specific data processes and, to be transparent and compliant, you must inform contacts what legal GDPR basis you are relying on.

Organisations must ensure they are GDPR compliant, transparent, and accountable come the 25th May, rather than simply relying on the uncertain future of legitimate interest.

The ICO’s most recent guidelines on legitimate interest can be found here.