Insights into a research-based legitimate interest risk assessment

October 2018  |  EXPERT BRIEFING  |  DATA PRIVACY

financierworldwide.com

 

Before the General Data Protection Regulation (GDPR) came into force, each European Union (EU) Member State had its own legislation based on an EU directive. This legislation dated back to the 1990s and thus preceded social media and the rise of e-commerce. However, it is through developments in these fields that the issue of data privacy has made headlines and captured the attention of the general public.

The GDPR is designed to be an evolution, not a revolution, of the current law, bringing it up to date with the technologically-driven world we live in. The goal of the GDPR is to harmonise the rules for countries within the EU and provide updated protection for citizens over their personal data, although it is arguable as to how far it does actually harmonise matters.

The protection of personal data in society is of fundamental importance, and the GDPR is built on the concepts of transparency and accountability. Personal data is data that either, on its own or in connection with other data held, could lead to the identification of an individual. It can be processed so long as there is a lawful basis for doing so under the GDPR.

If a party decides to use consent of the individual as the lawful basis of processing, the GDPR is very clear on what tests need to be met to demonstrate consent has been properly obtained. Consent must be “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing”. In general, the requirements of demonstrating valid consent under the GDPR are much harder than under the previous law. Consequently, you must think carefully about how you go about getting consent and what such consent is for.

However, there are other grounds that could be used to process personal data, for example if you have a legitimate reason to do so. Establishing whether legitimate interest can be relied upon can be thought of as a three-part test. First, is there a legitimate interest for the processing? Second, is the processing necessary for that interest? Third, is the interest overridden by the fundamental rights and freedoms of the individual?

The last part of the test means that the lawful basis of legitimate interest is not a ‘catch all’. These assessments should be conducted to be sure that it is an appropriate ground to rely upon and the rights of the individual are properly balanced.

Careful consideration of fundamental rights and freedoms is required. The GDPR recitals explain that when considering this, an important factor is whether the individual would reasonably expect their personal data to be processed in this way, given the time and context.

Whether relying on consent, legitimate interests or one of the other lawful bases, it is important that you can demonstrate that you have thought about data protection from the perspective of the individual whose data is being processed.

The GDPR’s strict requirements, such as, for obtaining consent and using legitimate interests, should not be seen as a barrier to business. Our research shows an 8 percent rise in data fundamentalists between February 2017 and December 2017; that is, people who agree consumers have lost control of the their data, and disagree that businesses handle data properly and that the laws provide reasonable protection. It is worth noting that an organisation that can prove GDPR compliance can show its increasingly data-conscious audience that it is a forward-thinking company that can be trusted with personal data.

The decision of which legal basis you use to process data for the purposes of marketing or associated activities should be thought about carefully. Too cautious an approach toward engagement and you can risk your marketing communications becoming generic, uninspiring and untargeted. The factors between asking for consent, using legitimate interest and the details included in the privacy notice will all impact the relationship a business can develop with its customers, consumers or followers.

Although always obtaining consent may seem to be the most sensible approach, it is not always the right one for a variety of reasons. It may also not be the optimum legal basis to use when building relationships with customers. From our research into the use of explicit consent, we know that too much information in a consent statement can both reduce opt-in rates and the clarity of the statement.

The use of legitimate interest in some circumstances is more appropriate and can also provide a less intrusive route that increases relevancy to the individual. It is an approach that must always use a balance test and should always be in the favour of the individual, rather than the business.

If a business has robust data protection policies and frameworks and standardised data privacy assessments then the use of legitimate interest can provide no more risk than using other legal bases for processing data for the purposes of marketing. It is important to stress that the use of legitimate interest does require evidence that the benefits to the individual have been considered and for best practice it is advised that the individual is regularly asked for their opinion.

Asking an individual for their opinion does not necessarily mean directly asking every time you want to process data, but for the balance test to be fair it does require a consistent framework to work from to be able to evidence the individual’s point of view.

We know that every person has different expectations, needs and desires and each person will also be at a different point in the life cycle. All of this should be taken into consideration when doing a legitimate interest assessment. If you have a well-defined audience segmentation then regular research identifying what the majority of the individuals in each segment would reasonably expect can be evidence enough to tip the scales toward the processing being in the best interests of the individual.

In fact, research has shown that similar audiences will have similar expectations in terms of the level of communication and personalisation they would reasonably expect. We know that these expectations will change over time, so ensuring regular research and refreshes to the audience segmentation is important to stay relevant. This will not only enable you to build up evidence of your compliance, but also improve trust in your relationships and enable you to maintain contact with people who are likely to be interested in the topics you are communicating about. This will ultimately lead to more engaged audiences, more valuable relationships and increasing sales.

The recent changes to data protection regulations have given a clearer direction for businesses in relation to marketing communications. The most successful relationships will be from those businesses that embrace the changes, and consider long-term relationship strategies and associated processing needs upfront, working toward a focus on lifetime value and audience engagement. Ultimately, the legal basis you decide upon for each data processing activity should be driven from regular audience insight; this will not only reduce risk but will also increase engagement and brand value.

Due to the concerns organisations have over compliance with the GDPR and using legitimate interest for contact and data processing, many are now using market research to back-up their decisions and provide evidence of their compliance. Our research has helped organisations carry out risk assessments to understand what different segments in their databases feel is appropriate use of their information and have found that these results can vary greatly, both between different brands and different audience segments in one business’ databases.

For example, according to research into direct mail communication on different topics for one organisation, though 79 percent of the audience reasonably expected contact by post, as few as 41 percent of the audience would expect to receive communication on one of the topics the organisation was planning. Insights like this can aid an organisation’s balance test and help them target their messaging, increase responses, reduce opt-outs and could ultimately improve sales.

Research data like this will help organisations achieve targeted transparency – where they can make it clear to the Information Commissioner’s Office (ICO) and any individual why they have chosen to target particular segments with certain communications. Some organisations are taking this further and using research to achieve privacy by design. This is an ICO-championed concept that is based around using technology to make privacy more appealing. New research is now shedding light on how to make privacy policy agreements more targeted, transparent and easier for people to understand in order to build trust with customers. We can all expect to see more research and evidence-based approaches to compliance materialise as people find their feet with the new legislation and the exact requirements become clearer.

 

David Cole is managing director at fastmap, John Benjamin is a partner at DWF and Chris Sadler is an independent marketing consultant. Mr Cole can be contacted on +44 (0)20 7242 0702 or by email: david.cole@fastmap.com. Mr Benjamin can be contacted on +44 (333) 320 2220 or by email: john.benjamin@dwf.law. Mr Sadler can be contacted by email: chriss@fivefoot8.com.

© Financier Worldwide

BY

David Cole, John Benjamin and Chris Sadler

fastmap

©2001-2025 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.