Currently, we receive worried calls from firms with regards to what steps they can take in order to continue to send out marketing emails and whether consent is always necessary. In short, no it is not. There are other means to lawfully process data, however it does not provide a safe way forward. While consent is not always required, there are no hard and fast rules on what the most appropriate lawful reason should be. Every instance should be determined on a case by case basis.
The GDPR says, “the processing of Personal Data for direct marketing purposes may be regarded as carried out for a legitimate interest.” An organisation may wish to rely upon legitimate interest where consent is not viable or not preferred and the relevant balance of interest condition can be met. The GDPR wording “may be regarded as…”places the onus on organisations to ensure they can establish necessity and balance their interests with the interests of those receiving the direct marketing communications. Resulting complaints and lack of GDPR compliance could result in heavy penalties. Prospective fines or long investigations will take time to deal with, and defend, should the results show up breaches of the GDPR. Furthermore, the reputational damage will no doubt be severe.
The ICO commissioner also offered informative comments on her blog on this matter and we recommend you take a look:
In the meantime, let us consider when legitimate interesst might be appropriate.
Article 6(1)(f) gives you a lawful basis for processing where:
“Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
Where a controller wishes to rely on legitimate interests as the ‘lawful basis’ for a processing operation, it will need to be able to demonstrate to a Supervisory Authority and/or an individual, when challenged, that it has fully considered the necessity of the purpose of processing against the rights of the individuals, and came to a decision that the individual’s rights did not override the interest of the Controller. The decision should be documented and reviewed if the scope of the processing operation changes.
The recitals to the GDPR adds the following clarifications:
“(47) The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller.
Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller.
At any rate the existence of a legitimate interest would need careful assessment [emphasis added] including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place.
The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing.
“The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
The recital does not form part of the actual regulations, and it does not give ‘carte blanche’ for anyone to continue to send marketing to anyone. As such, below we have included the ICO’s comments which outline the steps and considerations any firm should take and document when relying on legitimate interests:
- Legitimate interests is the most flexible lawful basis for processing, but you cannot assume it will always be the most appropriate.
- It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.
- If you choose to rely on legitimate interests, you are taking on extra responsibility for considering and protecting people’s rights and interests.
- There are three elements to the legitimate interest basis. It helps to think of this as a three-part test. You need to:
- Identify a legitimate interest;
- Show that the processing is necessary to achieve it; and
- Balance it against the individual’s interests, rights and freedoms.
- The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.
- The processing must be necessary. If you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply.
- You must balance your interests against the individual’s. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests.
- Keep a record of your Legitimate Interests Assessment (LIA) to help you demonstrate compliance if required.
- You must include details of your legitimate interests in your privacy information.
If we consider a classic example and match it to the ICO guidance we reach the following conclusions:
You attend an event.
You pick up business cards at the event.
You process the data on the business cards back at the office to record the names, emails and numbers of the people you met.
You add them to a mail-out system.
You contact the people who gave you those business cards by phone but also as part of your direct marketing campaign.
Can you rely on legitimate interest?
In our view, considering the people you meet are usually new potential clients or other related industry contacts who may not have the potential for being a client, you should beware to rely on legitimate interests to target the same person through direct marketing. Building a relationship is a key factor to considering if the individual will expect to receive any marketing to market to them. For new potential clients it will be difficult to carry out a non-biased assessment and prove that the reliance was reasonable to the ICO, especially as no prior relationship exists. Relying on consent will be most appropriate in this circumstance.
To break this down further using the three-part test:
1) Identify a legitimate interest = your interest to sell products or services;
2) Show that the processing is necessary to achieve it = it is necessary to make them aware of the services, which is done via newsletters or direct marketing;
3) Balance it against the individual’s interests, rights and freedoms = the individual has the right not to have data processed which is private, nor their email inbox affected by unsolicited incoming emails and their time affected by such actions.
Taking further guidance into consideration:
- The processing must be necessary. If you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply. Here we would argue that you can achieve the same result by publishing your newsletters on a website or a blog or on public forums such as LinkedIn? The question you will face is ‘Why do you feel it is only possible to get people to read your marketing/materials by emailing it to them?’ You may find that hard to explain.
- You must balance your interests against the individual’s. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests. Here we would consider that a new contact is certainly a greater risk than an existing client. But in the case of the former, consider whether they would reasonably expect to receive your newsletters. The answer may be found in the way you would feel about receiving emails from a corporation yourself just because you shared your business card with a person from that corporation. If you sometimes do feel aggrieved by the emails you receive, you may think that it is not a reasonable expectation …
Keep a record of your Legitimate Interests Assessment (LIA) to help you demonstrate compliance if required. Here we note that if you chose to rely on legitimate interests, you must remember to carry out and keep in evidence the relevant assessment and to review it from time to time when things change. Are you going to easily remember to do this? This will form a crucial part of your defence if you are wrong-footed on the issue.
At this point, it is relevant to refer people dealing with the GDPR to another less well-known regulation, the Privacy and Electronic Communications Regulations (The Privacy and Electronic Communications (EC Directive) Regulations 2003) “PECR”. The latest version of PECR came into effect on 16 May 2016. PECR will apply to you if you:
- Market by phone and/or email;
- Compile a telephone directory (or a similar public directory).
In brief this states that:
You must not send marketing emails or texts to individuals without specific consent. There is a limited exception for your own previous customers, often called the ‘soft opt-in’. The regulation does not apply to corporations (note that it will apply to sole traders and certain partnerships). The main point of relevance is that in financial services, sole traders can include consultants or family offices, and could easily be part of a protected category of people akin to individuals. Thus, the risk is not to clean your data and have inherent risks in who you are targeting.
Assuming the regulation could add a layer of risk we note the following:
The rules on electronic mail marketing are part of regulation 22. In short, you must not send electronic mail marketing to individuals, unless the receivers:
- Have specifically consented to electronic mail from you; or
- Are an existing customer who bought (or negotiated to buy) a similar product or service from you in the past, and you gave them a simple way to opt out both when you first collected their details and in every message you have sent; and
- You must not disguise or conceal your identity, and you must provide a valid contact address so they can opt out or unsubscribe.
Therefore it is uncertain whether anyone can or should rely on the GDPR legitimate interests for the purpose of any emails or other forms of direct marketing where it affects individuals. That is why, at Laven, we have been advocating consent even if legitimate interests will protect you (assuming you are handling it properly) when dealing with corporations.
In addition, many employees have personal corporate email addresses and individual employees will have a right to stop any marketing being sent to that type of email address. Furthermore, if you are processing an individual’s personal data to send B2B emails, the right to object at any time to the processing of their personal data for the purposes of direct marketing will apply.
If you breach the relevant regulations, the ICO will consider using its enforcement powers, including the power to issue a fine of up to £500,000 under the PECR, where an organisation persistently ignores individuals’ objections to marketing or otherwise fails to comply with the law. Under the GDPR, the ICO may exercise a maximum fine of either EUR 20 million or 4% of turnover, whichever is greater.
Laven Partners is here to help ensure your firm and staff are up to speed with the scope and responsibilities of GDPR with our GDPR Services, which include training, gap analysis, providing memorandums for the board and ongoing monitoring through our Digital Compliance Assistant software.
Contact us here for more information.