The GDPR caused a massive stir in Europe and the UK when it was first announced in 2016. The European Union then gave businesses two years to get to grips with new regulations. This caused an absolute frenzy across the whole business world, even as far away as the USA and India. The GDPR implemented new, stringent rights to data subjects and gave supervisory authorities like the ICO powers to really attack wrongdoers. Since the changes came about, there was a frenzy about whether people could market without consent. Whilst consent is the strongest legal basis for processing Legitimate Interest is way more useful for marketing.
So, what actually is legitimate interest for marketing? In this article, we’ll show you the ropes of the GDPR (or DPA 2018) and teach you all about legitimate interest. Remember, it may be annoying for businesses to deal with, but the law is made to protect people’s privacy. We will also explore what you should look out for if you’re buying data for an outbound campaign. After reading this article, you should have a better understanding of the subject.
The GDPR/DPA 2018
The GDPR is an EU Regulation that was applied across all member states, including the UK during 2018. The main aim of the implementation was to give data subjects more control over their privacy. Another benefit was the fact that it provided a unified standard for international business. This is because of the fact that the GDPR applies to all companies that process the data of EU citizens, regardless of location. The GDPR also applied new expectations and controls for the security and protection of personal information. Since then, the law has served as an inspiration for many other world data protection laws.
In addition to the increased rights and protections for data subjects, there’s more. Supervisory Authorities (organisations that police data compliance) have also been given more powers to punish lawbreakers. For instance, under the DPA 1998, the ICO could only fine up to £500,000 for breaches of the law. Under the GDPR, the ICO now has powers to levy fines of up to £17.5 Million or 4% of global annual turnover. Whichever is higher. These new powers have made it even more critical for businesses to comply with the law.
What is Legitimate Interest?
Strictly speaking, legitimate interest is one of the few bases for lawful data processing under GDPR. What this means in English is that it’s one of the ways you can process personal data without getting into trouble. That’s not so as to say that you can do whatever you want. You still have rules to follow and you better be sure to follow them, for the sake of your business. Legitimate interest can be for your benefit or that of an outside party. This also includes business interests. Despite this, you also have to consider the rights of the data subject when using legitimate interest.
Carrying on from the previous point, to use legitimate interest, you need to use a balancing test. It helps to think of the balancing test in three stages- which can be seen below. It should be noted that if the data subject wouldn’t reasonably expect the processing, or it would cause needless harm, their rights outweigh yours. This is why you should always keep an internal copy of your balancing test for compliance purposes.
- Identify Your Company’s Legitimate Interest.
- Prove That Processing Is Necessary To Achieve The Interest.
- Balance This Against The Data Subject’s Rights and Freedoms.
Why is Legitimate Interest Important?
Legitimate interest is important because it is a lot more flexible than consent. Of course, you still need to operate within the law, but it is easier. For example, if you tried to buy a marketing list based on consent, you’d be spending a lot of money. You also won’t get much from it in terms of the number of records. Legitimate interest provides a method for still carrying out targeted direct marketing campaigns. So long as your legitimate interest is solid, you should be able to continue using legitimate interest for marketing. If consent was the only lawful basis, direct marketing would have died three years ago.
Despite the flexibility of legitimate interest, you can’t always rely on it. It’s not always going to be the most appropriate method of processing. For example, with legitimate interest, you have to prove that what you’re doing is targeted and proportionate. That it is the way to reach your goals whilst causing the least potential damage to people’s right to privacy. You should always make sure that you give data subjects an easy method to opt out of communicating with you. Your legitimate interests do not cancel out the subject’s right to object to processing.
What To Look Out For When Buying Data
When you’re buying marketing data for outbound campaigns, you have to think about GDPR. One of the first things you should ask your supplier is “how is this GDPR compliant?”. If your supplier can’t provide an adequate answer to this question, then you should look elsewhere. For example, at Driven Media Solutions, we process our data through legitimate interest. This isn’t enough though, so we conduct an internal balancing assessment against the rights of the data subject. This is to ensure that everything is above board. It also works slightly differently as we do not handle consumer data, only B2B.
You should also think about how often your supplier is TPS/CTPS checking their data. The law states that your database has to be refreshed against the registers every 28-days. Calling prospects that are on the TPS/CTPS registers can cause serious headaches for your business. If you work in certain industries, it could even be a barrier to you continuing your operations. This is why it is always important to buy from a trusted supplier that knows the law on what they’re selling. This is why we only supply data on Limited Companies rather than consumers and sole traders. It creates a more manageable compliance situation.
Conclusion
In conclusion, it can be seen that the GDPR has had a massive impact on data protection. Just from the fact that it has been mirrored around the world. Data subjects now have more rights and Supervisory Authorities have more teeth to punish offenders with. This has become a necessity, given the rapid development of technology and the ways we use personal information. You should also now have a good understanding of what legitimate interest is and how you can use legitimate interest for marketing. It’s not perfect, but it is the most flexible basis for processing, without a doubt.
You should also now understand why having provisions for legitimate interest is important for business. You should be able to reasonably conduct your own legitimate interest balancing assessment. This is a requirement if you’re going to use legitimate interest for marketing. Finally, you should also now have an understanding of how legitimate interest impacts the purchase of marketing data. You need to make sure that you’re using a reputable supplier with strong compliance documentation. Anything less than that could see you in serious legal trouble. If there are no compliance documents, don’t do the deal.