Is Legitimate Interest enough to save Direct Marketing under GDPR?
In my last blog on this topic, I discussed the impact GDPR will have on Outbounding. As part of my research I contacted a few companies that specialise in helping with outbound marketing. The firms themselves do not provide personal data, but they do give you tools that help identify prospects. These companies are neither the controller or the processor, but their technology is dependent on companies being able to communicate with individuals with whom they have no consent.
Two companies replied (I don’t think it is necessary or fair to name them), with one pointing out that Outbounding could be considered Legitimate Interest, and that GDPR states, ‘the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.’
As with a lot of GDPR – this raises more questions than it does answers. There is limited conversation around this online. It seems like legitimate interest assumes that you have some form of consent from the subject.
Good Deal Insurance sell Office and Contents insurance to companies. They now sell Public Liability insurance. They want to communicate this to their customer base (they have consent from all their customers). GDPR does seem to allow communication of new services to existing customers.
Good Deal now sell Public Liability Insurance to companies outside their customer base. They compile a list of prospect companies and then look for the right decision maker in that company. They send this subject an email (sent to their work email) about the offer. The subject's details are also recorded in their CRM. There is no consent from this subject.
There are a number of areas around consent and double opt-in that need to considered in scenario A. But in general, it seems clear that this form of Direct Marketing is permitted. Even though a customer may not have expressly consented to be offered a new service (consent was given by becoming a customer via a different service).
In scenario B, there is no consent. If Good Deal email these prospects via their CRM (structured data) or via outlook (unstructured data) – they are in breach of GDPR. Even though the offer might be relevant and well targeted, it is hard to imagine how it could be considered to be in the prospect's ‘legitimate interest’. Furthermore, GDPR is quite clear that collecting and processing personal data without any form of consent or opt-in is not permitted under these circumstances.
Subject to the Article 29 Working Party issuing a clarification here, come the 25th of May 2018 - Outbounding is dead! Feel free to disagree.
If you are suffering from GDPR related anxiety, get in contact with us below (we might be able to help):