GDPR: Making the case for using legitimate interests

david brownWith the exception of wilful cowboys, most organisations – whether they are a charity or a commercial business – probably perceive their marketing efforts as legitimate. But when the new EU data protection regime comes into force on May 25 they might have to think again.
GDPR includes several legal bases for processing and using people’s data. The two most relevant to marketers are:
Legitimate interest – defined as “where an organisation has legitimate interests to process an individual’s data for the purposes of direct marketing, unless those interests are overridden by the rights of the individual”.
Consent – defined as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
It’s a legal minefield but I would urge organisations of all shapes and sizes to review their data activity now and put in place legal grounds for continuing to contact donors, customers or prospects from May.
Many people have heard of GDPR and know change is coming. Others understand that aspects of data they take for granted will soon be different. Yet the exact meaning of the regulation is lost on most; there’s an assumption that ‘someone else’ within the organisation will deal with it.
While legitimate interest is a useful legal basis for marketing – and, in particular, direct mail as specified in the text – there’s a great amount of work to do to prove that legitimacy.
One WPNC charity client JDRF, which has a mission to cure, treat and prevent type 1 diabetes, is close to finalising its GDPR strategy. Katie Hepworth, the organisation’s head of individual giving, said the charity started looking at data compliance in marketing and fundraising a year ago. “Firstly, we’ve upgraded our database to meet consent tracking requirements under GDPR. We’ve also written a new privacy statement and a supporter promise, as well as reviewing our security policy.
“We are mapping our fundraising data and identifying legitimate interest. Our postal communications are to people who have already been in contact with JDRF, and who we know have a close connection to type 1 diabetes. Because of this, we believe we have a strong case for legitimate interest.”
Personally I doubt whether organisations will be able to find a one-size-fits-all approach for legitimate interest. We’re working with a number of organisations to establish the level of risk involved in communicating to particular audiences in a database about certain topics. For example, it could be okay to send a significant proportion of people a message with a specific purpose, but for another group it wouldn’t be justifiable under legitimate interest. This type of modelling and documentation of evidence seems to us the best way forward.
Katie at JDRF agrees: “It’s a case of analysing each type of communication to each segment of the database. You need to create a framework and answer all of the questions for each type of supporter.”
Unlike consent and privacy statements, which can be more clearly displayed and explained, legitimate interest will probably remain the domain of the organisation, documented and ready to use as a legal basis if challenged.
I believe that agencies are well placed to help client organisations identify legitimate interests. Because agencies find strategies to underpin relevant communications, we can look for information, insight and inspiration that forms organisations’ legitimate interests.
From the outset, be sure to investigate all the different angles for legitimate interest and document your case. Keep a constant watch on the purpose of your marketing, and always try to do the right thing.

David Brown is planning director at WPN Chameleon