Renee

What is legitimate interest? A plain English guide to this confusing topic

Are you GDPR’d out yet?

Last month, I explained my interpretation of ‘consent’ for GDPR.  The other reason many people will rely on for keeping in touch with their mailing list is “legitimate interest.”

Imaginative Training | social media blog | social media training | Plain English training | Plain English editing | LinkedIn coaching ! LinkedIn training | social media marketing

If you’re doing business with someone, you have a contract or you’re negotiating for one, legitimate interest definitely applies.  Consensus among the people I network with is that, if you have built your list from people you’ve met who know what you do and can reasonably expect to receive email about your business, this is a valid reason to stay in touch and can be classed as a legitimate interest. Do you agree?

Again, I recommend Suzanne Dibble’s super video collection for anyone who is uncertain about any aspect of GDPR, and some of the following information is taken from her marketing video. She suggests that, unless any e-privacy laws, ethics or industry standards are broken, in most cases direct marketing can be classed as a legitimate interest.  (There are some caveats.)

The key questions to ask yourself are:

  • Is the way you use people’s data ‘proportionate, with minimal privacy impact and people wouldn’t be surprised to receive it from you?
  • Could people reasonably expect to receive this information from you?
  • Have you worked through the “Three stage test?” This includes assessing the purpose for emailing them, ensuring it’s necessary for the purpose, and filling in a ‘balancing form’ to show whether the legitimate interest is overridden by the person’s rights or freedom. Also, did you keep a record of your ‘legitimate interest outcome’?
  • Can they opt out of receiving your emails? (If you use Mailchimp, as I do, there’s always been an unsubscribe button.)
  • Is your privacy policy lovely and clear?
  • Are people likely to object to receiving your email? And further – are they likely to object if you explained your reasoning to them? If the answer’s yes, you can’t count on legitimate interest.
  • Is whatever you’re sending likely to cause them harm? (The example Suzanne Dibble uses is people in debt receiving regular targeted emails from loan sharks or gambling websites, which can have a “significant negative effect.” If the answer’s yes, you can’t do it.)

Please note that, apparently, the ICO says that you shouldn’t rely on legitimate interest just because it seems easier to apply than consent.

That’s all I’m covering on GDPR now – and hopefully forever! Please remember that this is my own interpretation of legitimate interest; it doesn’t mean I’m correct, but I’m offering it as food for thought – or rather, fodder for further research if you think it will work for you.

So how are you deciding which legal basis to use in future? Will it be legitimate interest, consent or one of the other options?

GDPR consent – a plain English interpretation for email marketing and social media

“Four things you must do, four things to avoid, and six tips to make your life easier.”

Since I sent you my ‘GDPR in plain English; 10 steps to take now,’ I’ve spent a good deal of time on webinars, in chatrooms and at expert panels, where some very smart people have presented their own interpretations of what GDPR really means to us small business owners.

But the truth is, it’s still a greyish area. Maybe not an infamous 50 shades, but certainly enough hues to confuse an awful lot of people.  The guidance is quite clear; how to put it into practice somewhat less so…

Imaginative Training | social media blog | social media training | Plain English training | Plain English editing | LinkedIn coaching ! LinkedIn training | social media marketing

There are six lawful reasons for ‘processing personal data’ – in other words, storing information and emailing people. In reality, for most people reading this, only two reasons are likely to apply:

  • Legitimate interest; and
  • Consent

Let’s focus on consent, because what we believe to be consent isn’t necessarily recognised as consent under the new law. Here are four things you must do, four things to avoid, and six tips to make your life easier.

You must:

  • Gain clear re-consent to email everyone on your mailing list. This means ‘affirmative action’ on their part. We can’t simply assume it’s okay to continue emailing them because they haven’t told us otherwise.
    .
  • Gain consent to email new people. We can’t work on the presumption that a business card swap at a networking lunch implies agreement to join a mailing list.
    .
  • Keep a clear record of when and why each person gave their consent. This includes recording how they “signed up,” what you told them you’d do with their data and what your privacy policy was on that date. I’ll be keeping a simple Excel spreadsheet from now on and hoping that’s sufficient.
    .
  • Have an up-to-date privacy policy that is clearly accessible on your website, not hidden in the footer. (Mine’s still in the footer…)

You can’t:

  • Keep anyone’s personal data after May 25th if they haven’t agreed to it (unless one of the other reasons applies – such as legitimate interest or contract). You have to delete it! Yes, I know… all those years of carefully cultivating an email list.
    .
  • Collect people’s information without a good reason. And only ask for what you need – don’t try to find out ‘sensitive data’ like date of birth, dress size, skin colour or who they fancy – unless you can absolutely justify why you need this information.
    .
  • Email people for any reason other than what you’ve agreed with them. So you might hope to raise extra money for charity by emailing your business list to let them know you’re doing a sponsored parachute jump – and chances are no one will report you for this – but it’s not allowed under the new rules. Likewise, you can’t take someone’s email to send them a free gift then add them to a mailing list for marketing. This applies to social media marketing too – so there should be no more signing up for anything via Facebook then receiving unrelated emails from the same company or an associated one.
    .
  • Ignore the law. Lots of people are poo-pooing the extortionate fines being quoted – after all, would the ICO really bankrupt a small business owner for sending an email to someone who hadn’t agreed? Of course not, but the aggravation of a potential investigation is surely not worth it.

There are various things you can do to make the transition into GDPR-compliancy easier for yourself.

These six tips should make the process easier!

  1. Add a clearly worded Privacy Policy to your website. Make sure it’s written in plain English and addresses all the points necessary to make it GDPR compliant.
    .
  2. Audit your sign-up process. Check the way you add people to your mailing list – through a website sign-up form, via a Facebook promotion, from business cards, from a ‘pop your card in this jar to win a bottle of champagne’ scheme. Then ensure the way you add them moving forward complies with the law.
    .
  3. Watch a brilliant two-hour webinar with a specialist GDPR lawyer named Suzanne Dibble here. She worked for Richard Branson to set up Virgin’s data protection compliance and she runs a very useful Facebook group. (I’ve seen the video – she also has many short videos on various different GDPR-related topics.) There’s a link to a useful GDPR checklist too.
    .
  4. Buy Suzanne’s legal document pack. (I haven’t done this but I’ve seen many recommendations for it on Facebook.) This includes a standard privacy policy.
    .
  5. Remember that it’s about being reasonable. Could someone ‘reasonably’ expect to receive email from you? If in doubt, leave them out.
    .
  6. Reframe the whole ‘losing loads of subscribers’ issue in your mind. View it as an opportunity to clean up your mailing list. Having fewer people on your list can actually be helpful as you’ll have better open and engagement rates, which means more of your emails will land in people’s inboxes and fewer will go into their trash.

I’ve used the word interpretation in my heading as that’s what this is – my interpretation of it, based on hours of research and my ability to quickly sift through mounds of conflicting information to find the linguistic diamond in the sand.

So, just to get my own little beachball rolling, if you’d like to stay subscribed to my mailing list to receive social media tips – or you’d like to sign-up now, please leave your name and email in the sign up box below.

You can unsubscribe at any time, of course.  On a final note, signing up confirms that you’ve read and understand our privacy and cookies policy. Thanks!

I hope these notes are helpful. Please tell me if you’d like to know more about the ‘Legitimate Interest’ basis for processing personal data and I’ll cover that next time.