The GDPR conundrum continues with people now more than a little confused about when they can rely on legitimate interest for processing personal data for marketing purposes.
For business to business marketing legitimate interest may be used as your legal basis for processing work email addresses that identify individuals in their business capacity (for example, firstname.lastname@example.org).
This relies on you being able to demonstrate that your interest in marketing your business is balanced with the recipient’s rights and reasonable expectations. Please note that different rules apply when marketing to sole traders and some partnerships.
Legitimate interest is significantly strengthened if you have an existing relationship with your recipient, for example, if they have bought a product or service from you, you could reasonably assume that they may be interested in similar products or services. You should always include a clear ‘opt out’ link to enable them to unsubscribe if they do not require the information that you send.
Think of it practically, if you have an email address for a business contact that belongs to somebody who bought a product from you within say the last six months, it would be reasonable for you to legitimately consider them to be a customer to whom you can market related products.
Be careful though, if they made their purchase longer ago than this and you’ve had no contact with them since, your connection with them becomes more tenuous and legitimate interest may no longer be appropriate.
In contrast if you acquire an email address belonging to an individual with whom you have never had any contact, it would be more difficult to argue that you have a legitimate interest in contacting them.
Similarly, if you put an email address on your website for enquiries about beauty treatments, you do so to make it easier for customers to get in touch and access your services, not as a way of consenting to receiving emails offering car parts or recruitment services.
The Information Commissioner’s Office advises that legitimate interest may be appropriate when:
- the processing is not required by law but is of clear benefit to you or others;
- there’s limited privacy impact on the individual;
- the individual should reasonably expect you to use their data in that way; and
- you cannot, or do not want to, bother them with consent requests when they are unlikely to object to the processing.
It is important to note that legitimate interest does not apply to everything and you should not use it as the default basis for all your processing simply because it seems like an easy option.
To be certain whether legitimate interest is an appropriate legal basis to process personal data you should carry out a risk assessment or test, which requires you to explain why you are processing the data and justify why this is in your legitimate interest. The onus is also on you to demonstrate that your interests are balanced with the rights and interests of the individual whose data you wish to process.