THE BEST WAY TO SOURCE DATA
When it comes to bad data, businesses are losing out. With so many options for sourcing data, what’s the best choice for you and your business?
READ MORE
Article 6(1)(f) gives you a lawful basis for processing only if & to the extent that at least one of the following applies:
“Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.”
So, setting aside the legal jargon, what does this mean in practice? Essentially the onus is on you to balance your legitimate interests and the need of processing personal data against the interests, rights, and freedoms of an individual. This differs to other lawful foundations, which supposes that both your interests and those of the individual are balanced.
Need more clarification? The Information Commissioner’s Office (ICO) outlines a three-part test to help you determine if your data processing falls within lawful legitimate interest. They recommend carrying out the test in the following order:
It is not enough for you to decide that it’s in your legitimate interests and begin processing the data. You must be able to meet all three parts of the test before you start processing.
The first step requires you to use your common sense. Ask yourself if what you’re pursuing is a legitimate interest. The positive news is that direct marketing is recognised as a legitimate interest, but this doesn’t mean that all direct marketing is a legitimate interest. For instance, if your marketing practises are unlawful and unethical, they won’t be considered a legitimate interest. Bad news for anyone making nuisance calls to flog sub-standard double glazing or circulating spam emails in breach of electronic marketing rules.
Ultimately, the data processing must be necessary to achieve your legitimate interest. Is the processing proportionate and adequately targeted to meet your specific goals? Could you employ a more moderate and less intrusive method? If you can accomplish the same outcome without using the personal data then you don’t have legitimate grounds for using it. Think about your own experiences – we’ve all filled out web forms which ask far too many unnecessary invasive questions. Only gather the personal data (if any) that is truly essential to your direct marketing activity.
Lastly, there’s the balancing test – do your legitimate interests outweigh the rights of the individuals whose personal data you’re using? As well as considering their interests, fundamental rights, and freedoms, you must also ensure that they don’t override your interests. Proportionality is key here – the interests of an individual could outweigh your legitimate interests if you intend to use their personal data in ways they would not reasonably expect. Bombarding individuals with nuisance calls or contacting them in the middle of the night would clearly be unreasonable behaviour. For B2B marketing, calling individuals at work about a product or service relevant to their job role, is more relevant and appropriate. Ensure that you’re always bearing in mind an individual’s interests, as well as marketing to them in a sensitive and respectful manner.
In direct marketing, an individual has the right to object to how their data is processed for marketing purposes. In these circumstances, you must stop processing their data immediately. In telemarketing, check your data against the Telephone Preference Service (TPS) and the Corporate Telephone Preference Service (CTPS) registers. Keep your own record of anyone who has asked you to stop marketing to them. With email marketing, you should always provide an unsubscribe link and ensure that anyone who unsubscribes is not contacted again. There are slightly tighter rules for sole traders and consumers, which may be relevant to you and will need further examination, when it comes to email marketing.
Ultimately, don’t stress that consent is the only way forwards for your marketing methods, particularly B2B marketing. Hopefully now you understand the basic rules and regulations when it comes to using legitimate interests as the basis for your marketing. Use your common sense, carry out the three-part test, keep your records up-to-date and don’t forget to document your decisions on legitimate interests.– Following these simple rules will help to demonstrate your GDPR compliance.
[This article was originally published by Nathan Topping in June 2022. It was subsequently updated by Angela Kunawicz in December 2022.] Please note this article is intended for guidance only and is not intended as legal advice. For more information visit ico.org.uk
Get in touch to find out how we can help you meet your business growth objectives.
Blueberry Marketing Solutions Ltd
Consort House, 12 South Parade, Leeds, LS1 5QS