GDPR: a legitimate interest for direct marketers

The GDPR implementation date is creeping closer leaving many marketers and business owners still confused and perhaps panicked. According to the Federation of Small Businesses, nine out of ten say they are still not ready for 25th May 2018.

With “cold turkey” cases like pub chain JD Wetherspoon deleting its email database of 700,000 customers and deciding to market through social media and website instead, there is a temptation or fear to follow suit or launch a strategy to re-opt everyone in to marketing.

Industry bodies like the DMA and Data Protection Network (DPN) are providing a lot of useful information for marketers on GDPR. We’ve distilled their salient points into a briefing on the viable strategies to continue sending relevant, targeted direct marketing to a qualified audience.

Firstly, have you got consent?

In a nutshell, under GDPR there are six lawful grounds on which to process data. One of these is consent and you may well already have sufficient consent to process your customer/prospect data for marketing. But beware the ICO sets a high standard for consent. Essentially it is based on the current DPA clause: consent “must be freely given, specific, informed” but it also goes further to include being unambiguous with a clear affirmative action (no pre-ticked boxes), keeping a record of consent and avoiding making consent a condition of a contract. Note that the ability to withdraw consent must be easy and not incur a penalty for the individual, and regular consent reviews should be implemented.

So rushing in to get fresh consent from your hundreds/thousands/millions of customers could be unnecessary, costly and detrimental to an already legitimate database. If you have consent that satisfies GDPR, ensure you continue to adhere to it making any of the required changes such as consent reviews (every six months is sage advice). Ensure your current sign-up forms are GDPR-compliant for data you acquire henceforth.

But one thing is clear. You cannot contact someone who has already opted out, regardless of your motive. Even if you think you’re being prudent or helpful to check if they want to opt back in, to update their details or inform them about your GDPR strategy – it’s breaching the law. Flybe and Morrisons have been penalised for this.

Legitimate interest

We’ve established that consent that meets GDPR standards is quite hard to obtain – even the ICO admits this. But remember, there are six bases for processing data and you must choose the most appropriate. The DMA and its partners have lobbied for the continued use of legitimate interest, and as one of the six bases it may be the one for you as a data controller.

“The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.” Article 47

Legitimate interest can be relied upon for a whole host of data processing purposes including fraud prevention, profiling and HR but we are focusing here on direct marketing.

CEO of the DMA Group, Chris Combemale remarks “Most of our members will use ‘legitimate interest’ as the basis for normal data hygiene, segmentation, personalisation of offers and channels such as postal, and recital of 47 of the GDPR states that direct marketing is a legitimate interest.”

However, if you’re not sure exactly what it means, you’re not alone. One in four marketers are concerned about the issue of legitimate interests under the new rules*.

There are three elements to the legitimate interests basis. You need to:

  • identify a legitimate interest;
  • show that the processing is necessary to achieve it; and
  • balance it against the individual’s interests, rights and freedoms

To break this down further, legitimate interest means that there would be a relevant and appropriate relationship between the data subject and the controller, i.e. the people you’re marketing to would expect to hear from you and not object. You must also include an option to opt-out at every opportunity. It should be noted that GDPR prohibits the use of legitimate interest for as a basis for processing personal data by a public authority (Art.6 (1)(f)).

Put yourself in the recipient’s shoes.

An update on fundraising events from a charity to its donors? Sounds reasonable.

A mail pack about child investment funds to someone who doesn’t have children? Now it’s starting to sound less legitimate.

If legitimate interest is to be used, then there is a need to balance the interests of the business against the rights and interests of the consumer. Although not specifically itemised in GDPR, carrying out a legitimate interest assessment (LIA) will document and assess whether your choice in lawful.

An LIA has three stages and you can read more on this from the DPN:

  1. Identify a Legitimate Interest
  2. Carry out a Necessity Test
  3. Carry out a Balancing Test 

Privacy notice

Any Controller wishing to rely on legitimate interest must inform individuals (via a privacy notice) that it is processing personal data on this basis, what the legitimate interests are, and also notify individuals of their right to object. You may decide to reassure your customers that you’re making changes in line with GDPR, directing them to your updated privacy policy.

At the end of the day, it’s not about finding loopholes or meeting the bare minimum to skirt penalties. Whilst the non-compliance sanctions are potentially huge, the ICO commissioner makes it clear GDPR’s purpose is not to threaten the marketing profession but to give greater control to the individual, and part of that is being a responsible marketer.

James Monkman, Head of Partnerships & Compliance at Omnis Data, agrees. "GDPR is about common sense and looking after the consumer. That means transparency, protecting consumer information and being prepared for the changes afoot."

We all know that engaged customers who want to hear about your products and services are the ones to nurture and respect with compelling marketing. And when they don’t want to hear anymore, allow them to walk away… leaving the door open.

Our GDPR check list will give you an indication of how prepared you are for the changes. If you need help with creating compelling direct marketing campaigns, or a database cleanse, get in touch.

 

*GDPR and You research from the DMA