While we were on our Easter break, the Information Commissioner's Office (ICO) published some more useful guidance on Legitimate Interest.
From a marketing perspective, when looking at lawful basis to continue to process data, we can use either 'Consent' and 'Legitimate Basis'. Consent is easier to understand than Legitimate Basis, so the clarification is welcome.
You can read the full details here
And here's my high-level summary of critical areas for those of us in B2B marketing...
There is a three-part test to work out if Legitimate Interest can be used:
1.Purpose test – is there a legitimate interest behind the processing?
2. Necessity test – is the processing necessary for that purpose?
3. Balancing test – is the legitimate interest overridden by the individual’s interests, rights or freedoms?
There's a useful tool to work this out.
Look for the question 'Can we use legitimate interests for our marketing activities?'
Answer: 'Yes, in some cases, but you need to apply the three-part test and ensure that you comply with other marketing laws. Recital 47 of the GDPR says:
“…The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”
This means that direct marketing may be a legitimate interest. ...If e-privacy laws require consent, then processing personal data for electronic direct marketing purposes is unlawful under the GDPR without consent.'
Look also for the question 'Can we use legitimate interests for our business to business contacts?'
Answer: 'Yes, it is likely that much of this type of processing will be lawful on the basis of legitimate interests, but there is no absolute rule here and you need to apply the three-part test.
You are still processing personal data when you are using and holding the names and details of your individual contacts at other businesses. You must have a lawful basis to process this personal data....
'You may find it is straightforward as business contacts are more likely to reasonably expect the processing of their personal data in a business context, and the processing is less likely to have a significant impact on them personally.'
They give a great example of the business card exchange, which I repeat below - hurrah!
Individuals attend a business seminar and the organiser collects business cards from some of the delegates.
The organiser determines that they have a legitimate interest in networking and the growth of their business. They also decide that collecting delegate contact details from business cards is necessary for this purpose.
Having considered purpose and necessity the organiser then assesses that the balance favours their processing as it is reasonable for delegates handing over business cards to expect that their business contact details will be processed, and the impact on them will be low. The organiser also ensures that it will provide delegates with privacy information including details of their right to object. The organiser subsequently collates the contact details of the delegates and adds them to their business contacts database.
If you intend to process the personal data of your business contacts you need to remember that individuals’ rights, including the right to be informed, still apply.