Are You Lagging Behind with Legitimate Interest?

If you are old enough to remember the UK’s only 100 metre Olympic gold medallist, Linford Christie, his mantra was to go on the ‘B of the Bang’. However, in the race to GDPR compliance a strange situation unfolded whereby the gun went off, but everyone stood at the start line not wanting to get out of the blocks too fast, for fear of being the one to make a false start.

As we enter the third month of a post GDPR world much of hype and scaremongering surrounding the regulation has died down, giving the impression most have crossed the finish line, but this could not be further from the truth. Yes, there are some organisations (both large and small) that have collected their medals and are keeping up the training, however many still can’t even see the finish line, have not started running at all, or are heading at speed in the wrong direction.

In my experience many marketers are still totally confused as to what they should be doing to stay on the right side of this landmark new law, despite huge sums of money already being spent. I have had worrying conversations of late with Compliance Officers and designated Data Protection Officers who are now beginning to cast serious doubt on the ‘expert’ GDPR advice they paid a pretty penny for.

Nowhere is this more evident than in the use (or lack of use) of legitimate interest. One of the biggest bones of contention that is continuing to plague organisations is whether sending marketing communications under the guise of legitimate interest is workable, with many fearing it will not stand up to scrutiny if the regulator comes calling. How many emails from brands did you receive pre 25^th May that attempted to reapply consent, as conscientious yet somewhat misinformed marketers tried to apply a belt and braces approach. The madness of this approach was that in accordance with PECR, there needed to be consent in place in order to send the email in the first place!

Legitimate Interest has a legitimate use

If there is one key message I would want marketers to understand it is that Legitimate Interest is not a ‘Get out of jail free card’, but if used appropriately and responsibly it is one of the most compelling ways to engage with your customers. There is nothing wrong with using consent, but you stand the very real risk of decimating your marketing database as some have already discovered to their cost.

Much has been made of the huge fines the ICO has within its power to apply and reputational damage that may result from such action. The resulting fear has led to many taking the consent route. However, the ICO has always been clear in its position, as its Head of Risk and Governance, Louise Byers, stated in an address to the IRMS Conference just days before GDPR came in to force:

“Hefty fines can be and will be levied on those organisations that persistently, deliberately or negligently flout the law.”

It is an undisputed truth that our industry has suffered from some very bad press over the years, because of the actions of a few who behave in this way. It is my hope and expectation that GPDR will go some way to putting an end to poor marketing practice. Undoubtedly, some will attempt to exploit Legitimate Interest but that is no reason for you not to use it legitimately and responsibly. The ICO provides very clear guidelines explaining exactly how Legitimate Interest can be lawfully used to process customer data. Take a look at: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/.

Regardless as to where you are in your race to GDPR compliance, whether it is a marathon or a sprint, I would encourage you to take a breather and re-check what you are doing. If you are one of the many who have been advised or instructed to avoid Legitimate Interest I would urge you to rethink and revisit your approach. And, if you have been sending consent emails, review your PECR compliance.

You may not have gone with the ‘B of the Bang’ with regard to GDPR, but e-Privacy Regulation is on its way (it is still pending final EU approval) and whilst GDPR compliance does not necessarily mean you will comply with the new laws surrounding e-Privacy, you will have a big head-start.