If you think “legitimate interest” is a worthy workaround to being compliant, think again. Keep these important reminders in mind when you want to obtain proper consent.

The General Data Protection Regulation (GDPR) is the talk of the town these days in the marketing community. Big and small companies alike are scrambling to understand the impact that the EU’s legislation will have on their businesses, and consultants have popped up all over the place claiming to help those racing against the clock to become compliant. I’ve been saying for a while that the situation reminds me of Y2K — that same mad dash preparing for a big bang event that eventually falls flat. But will GDPR be another repeat of Y2K’s bust?

No one yet knows for sure what impact GDPR really will have come May this year, but many are predicting that it won’t change a thing. After monitoring online chatter in LinkedIn groups dedicated to the subject, many marketers are hiding behind the “legitimate interest” clause to get around obtaining explicit consent when emailing sales or marketing materials to prospects.

Before I get into explaining what legitimate interest is, let me back up a little. GDPR provides 6 lawful bases for processing data. No one way is better than another, but the one to select depends on your business purpose, and the relationship you have with the individual data subject.

​The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data, but the method used may change depending on the type of data you have. In other words, you may treat employee data differently from the data that you have on prospects or current clients.

Download e-book

Are your GDPR-compliant?

Check out our e-book to make sure you are! These actionable steps will help keep any B2B marketer in compliance with the EU General Data Protection Regulation (GDPR).
Download e-book

Here are the 6 legal ways in which to base data processing:

  1. Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
  2. Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
  3. Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
  4. Vital interests: the processing is necessary to protect someone’s life.
  5. Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
  6. Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

Now, as I mentioned earlier, many marketers I have come across are trying to use “legitimate interests” as a way of continuing to do what they’ve always done in the marketing space when it comes to outreach campaigns for prospects. They are hoping that doing so will enable them to get around having to obtain explicit consent. And maybe that’s ok, but then again, maybe it’s not.

What is a legitimate interest really? Can I legally argue that it’s in the legitimate interest of a prospect to hear about my product or service? Well, honestly I don’t know. My personal feeling is that when there’s a debate, it’s a good idea to take another route just to make sure your bases are covered since it’s better to be safe than sorry.

Of course, obtaining consent is not the easiest route. But trying to justify data processing as a legitimate interest in the marketing space may not fly. And what is key of course is that you respect a prospect’s wishes to opt-out in either case, since giving more control over ones’ personal data is the cornerstone of the GDPR.

Our recommendation when it comes to consent is to call prospects to get it. Oral consent is perfectly acceptable under GDPR, and it’s one of the only ways to get consent for existing data sets. Companies are certainly not expected to throw out all of the data that they have on prospects, but in order to initiate a marketing campaign that’s compliant, we recommend getting consent first.

Here are some things to remember when working to obtain consent:

  • Data selection: Choose the data that you’re concerned with to analyze what you have and what you’re missing. In many cases data sets, have a lot of whites pace that need filling in — you may have information on companies and not on contacts, in which case you’ll need to enrich your data through online profiling and outbound telemarketing.
  • Script creation: Before any phoning activity, it’s best to outline what you’re going to say. A prospect needs to know exactly who you are and why you are calling — if you’re looking to get their consent to email them, you need to make that explicit and clear. It’s best to have a call guide in front of your callers so that they don’t forget key points that must be covered.
  • Time stamps: Because GDPR requires proof of consent, you’ll need to make sure that your CRM or bespoke tool is able to capture time stamps (the date and exact time that consent was provided) for each prospect you reach. This information should be kept with the personal data that you have gathered and confirmed on the phone. Time stamps can be used in cases when a prospect forgets having provided consent (which happens more than you think).
  • Data updating: The only way to know that the data you have is as up-to-date as possible is to verify it over the phone. Data is a living and breathing organism — it changes all the time. If you leave a database to sit and collect dust, in a few short months it will be entirely outdated. Our research has shown that 50% of contacts on LinkedIn have not updated their profiles to include the latest details on their current employers. That likely means that the data you have is inaccurate and may not serve its purpose. Use GDPR as an opportunity to make sure the contacts you have still work for those companies, that they haven’t changed positions, office locations etc, and if they have, rectify or delete their data as needed.
  • Double opt-ins: Some companies go one step further than oral consent and have decided to go the double opt-in route. This means that after speaking to a prospect on the phone, they are sent an email with a link to click in order to opt-in again using an online form. This may be overkill for some, but for others it’s the total guarantee that a prospect really is interested in receiving information.


Whether GDPR becomes the new Y2K or not, it’s best to take the legislation seriously and do what’s necessary in order to comply. It may turn out that the hype wears down and fizzles out in time, but for now, no one has a crystal ball to say for sure what will happen come May.

Get up-to-date marketing insights straight to your inbox!

Learn how we protect your information in our privacy policy.