GDPR – What now?

Nearly a month has now passed since the General Data Protection Regulations (GDPR) came into effect on May 25th and ensuring compliance is crucial going forward to avoid any costly fines. There are still many discussions and blurry lines between what you can and cannot do when it comes to controlling and processing data. Like most of us, you probably received a string of emails leading up to May 25th asking for your consent to opt-in to further communications or to update your preferences, but you may have also noticed that some businesses did not send you an ‘opt-in’ email, but instead something along the lines of ‘We have updated our Privacy Policy’. Here are two possible explanations why they did not send you an email requesting your ‘opt-in’:

either

1. they have already got record that you have previously and actively given your consent

or

2. they are processing your data under the basis of legitimate interest.

 

What is a legitimate interest?

The legitimate interest is a clause under the GDPR which allows for the processing of data without gaining consent, providing there is a balance of interests from both the data processor and the individual. Examples of this include working in the same or similar industry where there may be a balanced interest in the services or products, the individual is an existing client or customer, or when the processing of data is absolutely necessary for legal obligation. Providing the data is not processed in a way that is unrelated to that relationship, you may continue to send communications based on legitimate interest unless the individual opts-out.

In light of GDPR, businesses should have an updated Privacy and Cookie Policy to explain how they collect, manage and use your data, which will also explain the emails you may have received notifying you of their updated policies. A business should explain in their Privacy Policy the legal basis of processing your data, whether that be legitimate interest, consent or both.

For B2B marketers and email marketing in particular, there are some particularly crucial boundaries regarding the email addresses you can and cannot send to under the basis of legitimate interest. You can continue to send to email addresses providing they are a Limited company, a Limited Liability Partnership, or a partnership in Scotland or a Government department, and you are sending an email to a business email address. However, if the person you are emailing is a sole trader or works in a partnership, even if you are sending the email to their work email address and there is legitimate interest, you will require an initial opt-in from them to do so.

 

Completing a Legitimate Interests Assessment

The processing of data based on legitimate interest is a credible alternative where gaining consent is not an option; however, we advise that data controllers undertake a Legitimate Interests Assessment (LIA). This process consists of a series of questions that help you to determine whether the processing of data under Legitimate Interests is viable and if it is, demonstrates that there is a balance of interests between the two parties. You should go through the LIA process each time you plan to newly process personal data under Legitimate Interests.

If you have any questions about regarding GDPR and how affects your marketing, contact us on 01962 600 147 or email info@tlc-business.co.uk.