DMA head of preference services, compliance and legals John Mitchison has advised companies not to get too hung up on the opt-in model under the EU Data Protection Regulation, insisting that it is only one of six legal grounds on which personal data can be processed.
Mitchison, who was speaking at the recent Institute of Fundraising Technology Conference in London, said he had spoken to a number of charities who “feel that they are being pressured to go down this fully consent road”.
This follows high profile assurances from the likes of RNLI and Cancer Research UK that they will be embracing opt-in only.
However, Mitchison insisted that consent is only one of six legal grounds on which personal data can be processed under GDPR, and that “no one is any better than the other”.
He added: “It’s important to point out that consent is only one of the legal grounds on which you can process personal data. There are actually six legal grounds and no one is any better than the other.
“So if you choose the consent route and you only want to deal with people who have expressly opted in to receiving marketing material from you, that’s fine but it is no better legally than if you choose to do it by legitimate interest and use an opt-out method of communicating with people.
“You may have a significant part of your database for which you’ve never really bothered to collect consent and maybe you only deal with them on a direct mail basis, and you may want to just continue doing that and that’s perfectly fine to do under the basis of legitimate interest.”
His claims will no doubt raise a few eyebrows as, although the “legitimate interests” option was included in the final GDPR legislation, the Information Commissioner’s Office has yet to draw up any guidance on the issue despite confirming it will do so.
Even so, Mitchison was at pains to stress that processing data under legitimate interest was not “a get out of jail free card” which could be used to “mail anybody”.
He added that companies wishing to process data based on legitimate interest must “make sure that the legitimate interest of your organisations is balanced against the rights of the consumer; that it’s reasonable and you provide an unsubscribe option so the person can stop whenever they want to”.
Mitchison added: “A lot of the decisions that charities are going to have to make about implementing GDPR are going to come down to a business risk. You’re just going to have to think about it, develop a policy, get that approved by your board and then go with it.
“If you think that listing it all out is going to have a negative effect on the way your supporters hand over their data, you may consider making your privacy notices a little bit simpler and, effectively, taking a risk.”
20% of firms fear ruin as GDPR panic spreads globally
ICO insists GDPR guidance will cover legitimate interest
Industry on alert over third-party data legal crackdown
DMA joins forces in bid to demystify legitimate interests
GDPR consent updates spark chilling warning to brands
GDPR compensation to dwarf £30bn bill for PPI claims
Half of all firms still not compliant with 1998 data laws
Data compensation claims ‘could run into millions’
Cancer Research UK commits to opt-in data regime
Opt-in switch to rip £36m hole in RNLI’s finances