If you think "legitimate interest" is a worthy workaround to being compliant, think again. Keep these important reminders in mind when you want to obtain proper consent.
By Liz Lemarchand, MediaDev
The General Data Protection Regulation (GDPR) is the talk of the town these days in the marketing community. Big and small companies alike are scrambling to understand the impact that the EU’s legislation will have on their businesses, and consultants have popped up all over the place claiming to help those racing against the clock to become compliant. I’ve been saying for a while that the situation reminds me of Y2K — that same mad dash preparing for a big bang event that eventually falls flat. But will GDPR be another repeat of Y2K’s bust?
No one yet knows for sure what impact GDPR really will have come May this year, but many are predicting that it won’t change a thing. After monitoring online chatter in LinkedIn groups dedicated to the subject, many marketers are hiding behind the “legitimate interest” clause to get around obtaining explicit consent when emailing sales or marketing materials to prospects.
Before I get into explaining what legitimate interest is, let me back up a little. GDPR provides 6 lawful bases for processing data. No one way is better than another, but the one to select depends on your business purpose, and the relationship you have with the individual data subject.
The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data, but the method used may change depending on the type of data you have. In other words, you may treat employee data differently from the data that you have on prospects or current clients.
Here are the 6 legal ways in which to base data processing:
Now, as I mentioned earlier, many marketers I have come across are trying to use “legitimate interests” as a way of continuing to do what they’ve always done in the marketing space when it comes to outreach campaigns for prospects. They are hoping that doing so will enable them to get around having to obtain explicit consent. And maybe that’s ok, but then again, maybe it’s not.
What is a legitimate interest really? Can I legally argue that it’s in the legitimate interest of a prospect to hear about my product or service? Well, honestly I don’t know. My personal feeling is that when there’s a debate, it’s a good idea to take another route just to make sure your bases are covered since it’s better to be safe than sorry.
Of course, obtaining consent is not the easiest route. But trying to justify data processing as a legitimate interest in the marketing space may not fly. And what is key of course is that you respect a prospect’s wishes to opt-out in either case, since giving more control over ones’ personal data is the cornerstone of the GDPR.
Our recommendation when it comes to consent is to call prospects to get it. Oral consent is perfectly acceptable under GDPR, and it’s one of the only ways to get consent for existing data sets. Companies are certainly not expected to throw out all of the data that they have on prospects, but in order to initiate a marketing campaign that’s compliant, we recommend getting consent first.
Here are some things to remember when working to obtain consent:
Whether GDPR becomes the new Y2K or not, it’s best to take the legislation seriously and do what’s necessary in order to comply. It may turn out that the hype wears down and fizzles out in time, but for now, no one has a crystal ball to say for sure what will happen come May.