Are you GDPR’d out yet?
Last month, I explained my interpretation of ‘consent’ for GDPR. The other reason many people will rely on for keeping in touch with their mailing list is “legitimate interest.”
If you’re doing business with someone, you have a contract or you’re negotiating for one, legitimate interest definitely applies. Consensus among the people I network with is that, if you have built your list from people you’ve met who know what you do and can reasonably expect to receive email about your business, this is a valid reason to stay in touch and can be classed as a legitimate interest. Do you agree?
Again, I recommend Suzanne Dibble’s super video collection for anyone who is uncertain about any aspect of GDPR, and some of the following information is taken from her marketing video. She suggests that, unless any e-privacy laws, ethics or industry standards are broken, in most cases direct marketing can be classed as a legitimate interest. (There are some caveats.)
The key questions to ask yourself are:
- Is the way you use people’s data ‘proportionate, with minimal privacy impact and people wouldn’t be surprised to receive it from you?
- Could people reasonably expect to receive this information from you?
- Have you worked through the “Three stage test?” This includes assessing the purpose for emailing them, ensuring it’s necessary for the purpose, and filling in a ‘balancing form’ to show whether the legitimate interest is overridden by the person’s rights or freedom. Also, did you keep a record of your ‘legitimate interest outcome’?
- Can they opt out of receiving your emails? (If you use Mailchimp, as I do, there’s always been an unsubscribe button.)
- Is your privacy policy lovely and clear?
- Are people likely to object to receiving your email? And further – are they likely to object if you explained your reasoning to them? If the answer’s yes, you can’t count on legitimate interest.
- Is whatever you’re sending likely to cause them harm? (The example Suzanne Dibble uses is people in debt receiving regular targeted emails from loan sharks or gambling websites, which can have a “significant negative effect.” If the answer’s yes, you can’t do it.)
Please note that, apparently, the ICO says that you shouldn’t rely on legitimate interest just because it seems easier to apply than consent.
That’s all I’m covering on GDPR now – and hopefully forever! Please remember that this is my own interpretation of legitimate interest; it doesn’t mean I’m correct, but I’m offering it as food for thought – or rather, fodder for further research if you think it will work for you.
So how are you deciding which legal basis to use in future? Will it be legitimate interest, consent or one of the other options?
Leave a Reply