With the Information Commissioner’s Office stalling on its own consent guidance for GDPR, the Data Protection Network is offering marketers a lifeline by publishing its own guidance on so-called “legitimate interests” following a collaboration with the DMA, ISBA, and data protection specialists.
Plans for the cross-industry initiative were first hatched in March after the ICO seemed to suggest it would not be publishing specific guidance for legitimate interests; a move it subsequently denied.
The DPN guidance is a practical tool to help commercial and not-for-profit organisations assess whether or not they can rely on legitimate interests as a lawful basis for processing personal data under the GDPR.
It will be kept under review, updated as necessary and the DPN says it welcomes any feedback to help develop further versions. Marketers’ continued use of legitimate interests under the new laws was something the DMA and partners lobbied hard for in the EU.
In 2016, the Information Commissioner’s Office (ICO) called for the industry to work with regulators to make sure it has the guidance it needs and the DPN answered the call.
DMA managing director Rachel Aldighieri said: “In order to prepare for GDPR in time for May 2018, businesses need to understand how, when and why they’re able to use legitimate interest as a legal basis for contacting potential customers. According to our latest GDPR and You research, one in four marketers are concerned about the issue of legitimate interests under the new rules.”
According to the GDPR, organisations need to identify one of six lawful bases for the processing of personal data. In its draft guidance on consent, published earlier this year, the ICO stressed that consent should only be used when a genuine choice can be offered. If this is not possible, then other grounds for processing should be considered.
Legitimate interests is one alternative, but it needs careful consideration. The interests of an organisation must not be outweighed by the privacy rights and freedoms of individuals, for example.
A draft of the DPN’s Guidance was submitted to the ICO in the spring and the initiative has been welcomed by both the ICO and the DPC in Ireland as an example of industry proactively supporting regulators.
Aldighieri added: “The ability for marketers to continue to use legitimate interest under the new laws was something the DMA lobbied firmly for, so it’s great to have guidance on this very important issue that has also been welcomed by the ICO.”
The final guidance includes a template for conducting the crucial “3-stage test” – a legitimate interests assessment, examples of where legitimate interests might apply, and help on how organisations can fulfil the requirement to communicate the use of legitimate interests to individuals.
Robert Bond, chairman of the DPN and partner and notary public at Bristows LLP, said: “I am delighted that the DPN and other collaborators have been able to publish this guidance. I appreciate the work of all involved and the ICO for valuable scrutiny and comment.”
Last week it emerged that the ICO’s consent guidance – including its own take on how legitimate interests can be used – may not emerge until December.
To view the full guidance visit the DPN website>
GDPR fears mount over delay to ICO consent guidance
ICO insists GDPR guidance will cover legitimate interest
John Lewis and HSBC slam ‘ambiguous’ GDPR guidance
Lack of GDPR guidance fuels fears over bombardment
ICO rebuffs GDPR guidance failings despite RNLI rethink
Industry on alert over third-party data legal crackdown
DMA joins forces in bid to demystify legitimate interests
GDPR consent updates spark chilling warning to brands