Nick Burrell
GDPR / 04.07
Nick Burrell

How legitimate is legitimate interest?

CleverTouch’s co-founder, Nick Burrell, recently a spoke at GDPR Summit, in London, where he discussed ‘Digital Marketing under GDPR’ with other panelists and attendees. The event was attended by around 250 marketing, HR, and IT professionals, with speakers ranging from lawyers to database specialists.

Nick was joined by a range of B2B and B2C businesses in the Marketing Stream, many that depend on data and now struggle under GDPR regulations. Interestingly, the question that was discussed most on the day was around GDPR and legitimate interest—with many questioning and debating whether legitimate interest is appropriate or not.

Legitimate interest one of the six lawful means to process data under GDPR and this and Consent are the two most relevant to marketers. However, under new Privacy and Electronic Communications Regulations (PECR), it is likely that all individuals will need consent for any electronic communication (e.g. emails), eliminating legitimate interest. Although many organisations are using legitimate interest to continue communication without consent, this may not be available post PECR and so businesses should begin making changes and get ready for the introduction of PECR.

PECR will affect legitimate interest when it comes into effect (likely early 2019). Although PECR is predominately an update of the Cookie Laws on websites, there will be restrictions—and will ultimately cancel out—legitimate interest for businesses. PECR sits alongside the Data Protection Act and GDPR, giving people specific privacy rights in relation to electronic communications.

So, what can businesses do to prepare for the end of legitimate interest? Between now and the introduction of PECR in 2019, businesses should continue to build up an opted-in marketing database. After PECR is introduced, businesses will likely be unable to market electronically via email. Although PECR is not yet set in stone, this is how the regulation is currently drafted.

In the meantime, businesses—particularly marketers—must define their target audience and who could be included under legitimate interest (this can include existing customers, previous customers, or prospects). Marketers who have their CRM database linked to their marketing platform will be able to   identify and handle data.

Marketers should be mindful of the transparency requirements when reaching out to these individuals via email, and include a line in the footer of the email, stating ‘we’re contacting you under legitimate interest’, or similar. By doing this the individual is less likely to wonder whether they have consented to the email or not.

We’ve seen that some organisations have not changed their behaviour since GDPR came into effect, but it’s important for businesses to begin making changes, and be ready for further developments.