GDPR: How legitimate are your legitimate interests?

With the introduction of the General Data Protection Regulation (GDPR) now just six months away, one particular aspect of the new regime seems to be of particular concern to organisations across all sectors: how am I allowed to communicate with people if I haven’t got their clear consent?  In the absence of specific guidance from the Information Commissioner’s Office (ICO), a growing number of voices are propagating what we call the ‘legitimate interests myth’.  In this article, we aim to challenge this myth and provide organisations with a more reliable framework upon which to build their GDPR policies.

The ‘legitimate interests myth’ is based on the argument that it may not be necessary to get explicit opt-in consent from recipients of direct marketing, fundraising and other unsolicited communications under the GDPR, as it’s only one of six legal grounds on which personal data can be processed.

While this is factually correct, we feel that this interpretation is dangerously misleading.

Of the six legal bases for recording and using personal information, one refers to opted-in consent, a second to performance of a contract (for example, operational communications with your customers, employees, members, suppliers and so on) and three of the other four can only be applied in very particular circumstances and are unlikely to legitimise marketing and fundraising activities.  This leaves the sixth and final test, which is a less specific one based on ‘legitimate interests’.

As gaining explicit consent can be a difficult exercise – and may result in the intended recipients exercising their right not to be contacted and withholding their consent, whether overtly or just through not responding – many organisations are convincing themselves that they can rely on this ‘legitimate interests’ clause to hold personal information and use it for marketing-related purposes.

Although the ICO will not publish specific guidance until the New Year, the clues are there that suggest (quite strongly) that only the fully opted-in consent approach can be used to legitimise marketing activities under the GDPR. Organisations shouldn’t be encouraged to think otherwise.

There are good reasons why we say this. The Information Commissioner, Elizabeth Denham, recently confirmed in respect of consent and legitimate interests that: “the ICO’s draft guidance on consent is a good place to start right now.  It’s unlikely that the guidance will change significantly in its final form.  So you already have many of the tools you need to prepare.”

So what does the ICO’s current guidance say? “The Data Protection Act recognises that you may have legitimate reasons for processing personal data that the other conditions for processing do not specifically deal with. The ‘legitimate interests’ condition is intended to permit such processing, provided you meet certain requirements.”

In our view, the key phrase here is that ‘legitimate interests’ only apply in cases that “the other conditions for processing do not specifically deal with”.  In other words, if gaining consent is possible and appropriate, then that must be the relevant legal basis for holding and using personal information.  You can’t cherry-pick the condition that happens to suit your interests.

We’re not alone in this view, and even the Direct Marketing Association’s own Compliance Officer has stated that the legitimate interest clause is “not saying that legitimate interests is a basis for direct marketing activities without consent”.

So if the ‘legitimate interests’ argument cannot be used to justify unsolicited marketing emails, what sorts of activities was it designed to enable? We would argue that ‘legitimate interests’ would validate an employer getting in touch with a former employee to inform them of changes to their pension scheme, or a business passing on the contact details of a non-paying customer to a debt repayment agency.

In our opinion, it’s inconceivable that the regulators have introduced rules that empower individual data subjects to control who has their personal data and what they can do with it, only to provide a specific loophole that allows organisations to ignore that imperative.  It just doesn’t chime with the ethos underpinning the new regulation and the messaging from the regulators.  You only need to look at the language of the GDPR and the current guidance provided by the ICO to see clearly that the rights of the individual are paramount and can only be overridden in exceptional circumstances.

So, unless you can demonstrate a reason why your rationale for not gaining consent outweighs the necessity or possibility of asking for consent, we think it’s a mistake to rely on ‘legitimate interests’ to validate holding and using someone’s personal information in this way.

Further clarity from the ICO cannot come too soon, given that organisations should have already started their preparations for the GDPR.  Until we get more guidance, be alert to the ‘legitimate interests myth’ and challenge anyone who suggests that you don’t need explicit consent for marketing-related and other unsolicited communications.

Ian Singer is an IT Assurance Partner at PKF Littlejohn