If your business collects personally identifiable data from residents of EU countries, you will be subject to the General Data Protection Regulation (GDPR) – regardless of where you are based. GDPR applies to data like email addresses, telephone numbers, and physical addresses, making it a central part of the modern business environment.
The GDPR states that personal data may only be collected with freely given consent, or via an other legal basis. This means that data processing is only allowed if your customer has consented, or if there is an alternative legal basis for data processing – like for example, using it for direct marketing that is defined as a legitimate interest of the controller under Recital 47 of the General Data Protection Regulations.
This ‘loophole’ also exists when marketing to existing customers – companies are allowed to store personal data for any customers they may have interacted with previously.
Marketing emails may also be sent without explicit consent if the company has a justified interest in ‘cold calling’, or in the case of administrative transfers within a company group.
Defining Legitimate Interests
There are three main reasons why sending email newsletters without explicit consent may be considered a legitimate interest:
• Fraud prevention
• Network and information security
• Raising awareness of public security concerns and criminal activity The Three-Part Test
If you are wondering if your interest is considered to be legitimate, the Information Commissioner’s Office (ICO) states that businesses should go through a simple three-part test.
These three steps include:
• Purpose Test: Ask – what is the aim of collecting personal data? Who benefits from the personal data and how? Does processing this data benefit the public?
If this is the case, are these benefits significant? If you were unable to process the data, what would be the consequences for your business and/or the public? Is your data processing ethical?
• Necessity Test: Ask – does processing help your business’ interests? Is processing personal data a reasonable solution to furthering your business? Can your business achieve these results without collecting personal data?
• Balancing Test: Ask – what is your business’ relationship with the recipient of your newsletter? Is there sensitive or private data involved? Would your visitors reasonably expect you to process their data? Would you feel comfortable explaining to your customers why you are collecting their data?
Will some people complain or consider your use of data to be intrusive? How will your use of personal data aﬀect your customer and how much of an impact is this? Are you collecting the personal data of minors? Are any of the intended recipients considered to be vulnerable? Can you minimise the impact of your data collection using safeguards?
The following may also be considered a legitimate interest under the GDPR:
• Processing employee or client data
• Direct marketing
• Administrative transfers
What Counts As A ‘Legitimate Interest’, And What Does Not?
The term ‘legitimate interest’ is legally broad, but to quality, your purpose must be considered necessary, and must reflect a specific benefit to your company, a third party, and/or the general public.
For your business’ motives to be considered a legitimate interest, you must state why you are collecting personal data, and the intended outcome of this. The benefit of any activity to the business must also be weighed against the impact on the customer.
While many purposes may be considered a legitimate interest, illegal, unethical, or illegitimate activities are prohibited.
When you ask for consent, your business should be judging its activities against this checklist:
• Is consent the most appropriate legal basis for processing personal data?
• Is consent opt-in?
• Have you made sure that the consent box isn’t pre-ticked and that you don’t use default consent?
• Is your data policy clearly written and easily understood?
• Have you specified why the data is needed and what will be done with it?
• Is your customer able to consent separately to each diﬀerent purpose?
• Have you named any third parties which are involved in processing personal data?
• Have you informed your customers that they can withdraw consent at any time?
• Can your customers refuse consent without impacting them personally?
• Have you ensured that consent is not necessary to use your service?
• Do you have age-verification and parental consent measures if you are collecting data from minors?
If you cannot honestly answer ‘Yes’ to any of these questions, then review and revise your company policies until you can.
The GDPR also regulates how businesses store and manage consent, meaning you will need to ask yourself the following questions:
• Have you recorded when and how consent was given?
• Have you recorded the information that the customer was given?
• Do you regularly review consent?
• Does your business ask for updated consent at appropriate intervals?
• Have you considered using preference management tools such as privacy dashboards?
• Is it made easy for your customers to withdraw consent and have you explained how to do this?
• Does your business act on consent withdrawals immediately?
• Have you ensured that customers who withdraw their consent are not penalised?
Organisations which are in a position of authority should not rely on consent unless they are confident that they can demonstrate that consent has been given freely.
Whenever you are in any doubt about whether what you are doing complies with the appropriate rules and procedures, make sure you err on the side of caution, as the consequences of breaching GDPR can be severe.