ICO finally publishes GDPR legitimate interest guidance

ICO new 2With fewer than 60 days to go until GDPR compliance D-Day, the Information Commissioner’s Office has finally released its guidance on how brands can use legitimate interests to gain consent for processing marketing data under the new regulation.

The move comes nine months after the Data Protection Network published its own version of the guidance, following a collaboration with the DMA, ISBA and data protection specialists.

The ICO guidance, which has just been published on its website without any notice, sets out a three-stage test that organisations can apply to help them decide whether a particular action is lawful, which covers the purpose of the activity, whether it is necessary and how this is balanced against an individual’s rights.

The regulator refers to this as a legitimate interests assessment (LIA), and even though there is no specific requirement in GDPR for companies to do this, in practice they are likely to need an audit trail of their decisions and justification for processing on the basis of legitimate interests.

While conceding that there is no one-size-fits-all approach to an LIA, the ICO provides a sample LIA template for companies to use.

It also details a number of examples, including how companies – in the case provided, retailers – can use legitimate interests for postal marketing, confirming what many people in the industry have been predicting.

This can be achieved by using  the following statement: “We will send you information about our special offers to your billing address. If you don’t want to hear about our offers please tick here.”

The guidance states: “The retailer balances the interests of its customers against its legitimate interests in sending postal marketing to existing customers to improve sales. Customers are likely to reasonably expect that they may receive some marketing material from the retailer as the retailer has provided a clear indication that this processing will occur. The impact on the individual is minimal.

“However, by giving its customers a clear opportunity to opt out of this processing, the retailer has also put in a safeguard to ensure the individual retains control over their data and can easily exercise their right to object.”
Visit the ICO website for full details of the guidance>

Related stories
We all have a legitimate interest in sound GDPR advice
Direct mail industry set for boom time under GDPR
DPN joins calls for more urgency over GDPR guidance
UK bodies publish GDPR ‘legitimate interests’ guidance
ICO insists GDPR guidance will cover legitimate interest
DMA joins forces in bid to demystify legitimate interests
Direct mail shines like a beacon in ‘post-truth world’
Direct mail industry to launch ABC-style audit scheme

Print Friendly