Legitimate interests – can we rely on it as a ground of processing for direct marketing?

Transcript of the Video

Good evening to you. Suzanne Dibble here, data protection law expert, coming to you raw and uncut in the evening once more because the days simply run away with themselves. But I will be doing a Facebook Live in the daytime very soon. And thank you so much for all of your positive comments about the live two-hour training that I did yesterday. If you saw that there wasn't a video, that's why, because my voice had literally stopped working after. I think we were on for two and a half hours yesterday. Great engagement by the people who came onto the live session. Lots and lots of questions that I couldn't get through, but one of them was about legitimate interests. And I know that there have been a fair few questions about that in the group, as well. So I wanted to do this little video to clear up any confusion. And the reason that there is confusion over this area and why there is a lot of, in my view, incorrect advice going around is because of a recital that specifically refers to direct marketing.

Now, as you will know if you watched the training that I did, if you're processing personal data, you have to have a legitimate ground of processing for doing so. Now, we've obviously talked a lot about consent. That's one of the grounds. But the other ground that we talk about a lot is legitimate interest and what that means. And the relevant recital which is where direct marketers seem to think that what that recital is saying is that you can just completely ignore consent and do marketing to whoever you like without any consent, it's recital 47, which states that the processing of personal data for direct marketing purposes may be regarded as carried out through a legitimate interest.

Okay, now some people have read that and interpreted that to mean you can send emails, send marketing emails. You don't have to get consent. It says in the recitals that direct marketing is okay under legitimate interests. Well, that's not right. It would kind of make a mockery of the whole data protection law environment. Recital 47 also goes on to say that those legitimate interests of the data controller must be weighed against the rights and freedoms of individuals and their reasonable expectations based on their relationship with the data controller. Okay, so we're going to come on to talk about what that is. But if you've only watched three minutes of this video, please take away the message that you cannot just see that someone's referred to that in an article and think, "Oh, direct marketing, I don't need to bother with consent," because it's really not that straightforward.

Okay. So I'm going talk you through a recommended three-stage test to work out whether you can rightly claim that you're processing on the grounds of legitimate interests. Okay. Let me find it for you. Now, this is in, if you have bought my GDPR pack, which I would highly recommend that you do. It's on an introductory price of just 97 pounds, and there's about 20 documents and checklists in there that will help you to be GDPR compliant. Don't worry. You probably won't have to use all 20. I just want to give you everything that you're likely to need in that pack. If you want to know more about that, the details are in the pinned post at the top of this group. And in there is a legitimate interest assessment, or an LIA, which will help you to determine whether you can actually rely on legitimate interest as a ground for processing or not. Okay. But I'm going briefly talk you through the three stages of a legitimate interest assessment. And they are, in summary, to identify a legitimate interest, that is your legitimate interest. Secondly, to carry out a necessity test, and thirdly, to carry out a balancing test. And I'll tell you a little bit more about what those are.

So firstly, obviously, you've got to identify a legitimate interest of yours. And it has to be a real legitimate interest because part of this, if you are relying on legitimate interest, you have to actually put that in your privacy notice and clearly and transparently inform the data subject that that's what you're relying on and why it is a legitimate interest. Okay. So you really need to think carefully about that.

The second thing is to carry out a necessity test. And that's whether the processing of the personal data is necessary for the pursuit of your commercial or business objectives. Now, that doesn't necessarily mean indispensable. But it's more than ordinary useful, reasonable, desirable. Probably the easiest question to ask yourself is, "Is there another way of achieving the identified interest?" So really, you're looking at the processing here, and whether there is a less intrusive way of processing the information to achieve your desired aim. If the processing isn't necessary, then legitimate interest can't be relied on as a lawful basis for that, okay? So it's really not as simple as it sounds. In working out whether you can rely on legitimate interest or not, you have to think quite carefully about what you're doing with the data, whether there are any other ways that it can be processed, whether those ways are less intrusive, etc. So it's definitely not straightforward.

The next stage is to carry out a balancing test. And this is to make sure that the rights and freedoms of the individual whose data is going to be processed, have been evaluated, and that those interests don't override your legitimate interest. So that's why it's a balancing test. Balancing the fairness, I suppose, between your legitimate interest and the data subject's rights. You should always conduct that fairly. I mean, it's hard to do, isn't it? Not to make it unfair or unbiased. But you've always got to give due regard and weighting to the rights and freedoms of those individuals. And this should be documented in case anything is every challenged. Your thought process on it should be documented. So what you'd think about there is the nature of your legitimate interest, the impact of the processing, and any safeguards that you can put in place.

It includes things like the reasonable expectations of the individual. Would or should they expect the processing to take place? So if they would, then the impact of the individual is likely to have already been considered and accepted. If they have no expectation, then the impact is greater and is given more weight in the balancing test. So that's a big key to it is the reasonable expectations of the individual. Also need to think about the type of data. So if it's sensitive data, then you need to throw that into the mix. Think about the nature of the interest of you as a data controller. Does it add value or is it just for convenience? Is it also in the interest of the individual? And is there going to be any harm as a result of the processing?

You also need to look at the impact of the processing, and that's the positive and negative impacts on the individual. The likelihood of the impact on the individual, and the severity of that. The status of the individual. So, for example, whether they're a customer, a child, an employee, or someone else. The status of you as a controller, and whether you're in a dominant market position. And the ways in which the data's processed. So does it involve profiling or data mining, publication or disclosure to a large number of people, or is the processing on a large scale?

So it's not straightforward is what I'm trying to say. And the fact that you have to actually say what the legitimate interest is in your privacy statement should make you think very hard about whether you can rely on this ground or not. Now, the other thing to note is that there's an absolute right for the data subject to object to that legitimate processing. Let me just find the exact wording here. So it's not a case of you can claim legitimate interest and then you do away with the need for consent. That is absolutely not the case at all. So if you want to rely on legitimate interest, you must inform individuals that you're processing personal data on that ground. Tell them what the legitimate interests are, and also notify them of their right to object to the processing on those grounds. And that information's got to be provided to individuals in an explicit, clear way and separate from other information. And then you've got to have systems in place, as well, as to how do people object to that processing on this ground, and what you then do with the data.

So it's certainly not the simple option. In my mind, having a good consent procedure in terms of marketing is going to be far more effective. Now, of course, there will be grounds when legitimate interests apply. They probably aren't related to marketing. And indeed, I'm going to give you some examples now. I'll give you some that do relate to marketing and some that don't so you can have a bit of a flavor as to what legitimate interest is all about. Let me just find them.

Okay, so, here we are. Okay. So they do give as an example of direct marketing, a charity sends a postal mail shot out to existing supporters providing an update on its activities and details of upcoming events. Okay. So that's an example of when legitimate interest might apply. Now, let's look at that in terms of the test, the three-stage test that we've just come to. So existing supporters, okay. They're not sending it to any random Tom, Dick, or Harry. The charity is sending it to existing supporters. So would it be reasonable for those people to expect to receive communications about the charity? Well, yes, I think so. In terms of the impact of the processing, is it going to be detrimental to the rights and freedoms of the individual? Unlikely, isn't it? They're sending out a mail shot to people who they know are interested in events that they have. It's by post, as well, and that's important because postal direct marketing is more ... You're more likely to be able to rely on legitimate interests for postal marketing.

There's another act, the PECR, which is about to be reformed, as well, and I'm sure it will be more brought into line with GDPR. But essentially, and that deals with electronic communications such as email and text and things like that. But essentially, still under that act, and I'm sure it will be refined even more, you cannot send unsolicited emails, unsolicited marketing emails, unless people have explicitly consented to that. So you've still got that element of consent there through the PECR, Privacy and  Electronic Communications Regulations. So that's one example. The key elements there is it's by post. It's to existing supporters. It's not having any detrimental impact on them. It's a noninvasive way of processing data. And the rights and freedoms of those supporters are not being impacted. So that's one example.

They also give examples of personalization. A travel company relies on consent for its marketing communications, but may rely on legitimate interest to justify analytics to inform its marketing strategy and to enable it to enhance and personalize the consumer experience if offers the customers. So note there it's relying on consent for the marketing communications, but then in terms of the analytics, that could be a legitimate interest.

Some other relevant ones here. Web analytics. A social media platform uses diagnostic analytics to assess the numbers of visitors, posts, page views, reviews and followers in order to optimize future marketing campaigns. That could be an example of legitimate interests. Hosting data in the cloud. An airline adopts cloud-based services for hosting the data of EEA citizens. This will include where cloud-based data services are used to archive data from the live processing environment. Again, cited as an example of legitimate interests. Updating customer details and preferences. A retail company uses an external service provider to verify the accuracy of customer data and create a better understanding of its customers. The company would need to carefully consider how it was conducting this, and what the reasonable expectations of its customers would be. But aside from that, it could potentially be legitimate interests.

And then there's other examples. For example, a refugee charity for ethical and humanitarian purposes processes personal data of individuals located in the EU for the assessment and allocation of resources. This is in the interests of both the refugee and the charity, so that could be legitimate interests. Individual rights. A business needs to continue processing personal data on an individual who has exercised their right to erasure. They will need to keep basic data to identify that individual and retain it solely for suppression purposes to prevent further unwanted processing. This activity would be in the mutual interests of the individual who wishes their privacy rights to be upheld, and the business which is required to fulfill this right. Okay. So that's another example.

So I'm not going to go on with reams more. And in fact, there aren't reams more of examples. But the message I want to get home is that just because somebody's told you there is an exemption for direct marketing purposes and you can rely on legitimate interests, it's really not that straightforward, okay? So not saying you can't rely on legitimate interests. I'm sure there'll be lots of areas of your business where you potentially can. But do make sure that you've carried out that legitimate interest assessment and done that three-stage test, and you can explain it to the person that you're collecting data from because if you can't explain it in a compelling way to the person that's giving you the data, then you're not in a very good position with that. So it's not simple is the message. And I think, as I say, for the purposes of marketing, consent is in the vast majority of cases, going to be the appropriate ground for processing.

So on that note, I've also seen a lot of posts in the group about how to get that consent, and examples of, "Is this consent okay? Is that consent okay?" Obviously, I would love to put time on hold and answer personally all of your questions, but if I want to retain my sanity, I'm not going to do that. So what I want to say is that there are compliant examples in my GDPR pack. It's just 97 pounds. That's an introductory price. So I would go and if you know that you need that, if you haven't already bought something similar elsewhere, which I hope you haven't because I don't think that there's any kind of pack that's as good value as this one, go and buy that pack. Save you a lot of hassle. Know it's exactly right, and use that.

Now, what else was I going to say about that? Yes. So the forms of consent. That's the legal side of it. But also, why not take advantage of this opportunity to actually look at your list, look at your marketing, and think about some kind of re-engagement campaign before you send your email asking them to re-opt in. And I'm going to be holding an interview. We've actually got the date booked in, but I've not got my diary here. But I will post that in the group soon. It's not long. It's about a week or a week and a half. Something like that. And we will do an interview on that and how you can best re-engage your prospects before you send them the email asking them to re-opt in. So keep your eyes peeled for that.

Okay. So that is it on legitimate interest. I hope I have cleared that up for you. As I say, the legitimate interest assessment form is in the pack. So if you are buying the pack or you have bought it already, then note that that's in there, and make sure that you use that. You'll be using that alongside the form that's in there to do the data processing ... Well, the data inventory in terms of working out what data you've got, where it's come from, etc. And then matching it up with the processing ground. And if you think that legitimate interest is one of those grounds, that's when you'd go to your legitimate interest assessment form to make sure that you can actually rely on that as a ground.

Okay. I think that's all I'm going to say for now. But if you've got any questions or comments on that, please post below this video. Good evening to you all.