GDPR and Legitimate Interests
This newsletter is intended to give you more information about sending business to business marketing emails, after GDPR comes into effect on 25 May 2018. It sets out the background to using Legitimate Interests as the legal basis for processing email data, and provides a briefing for what those emails must contain in order to be compliant with GDPR and PECR. Finally there is a checklist for you to complete to document that you have complied with the requirements of GDPR. It is specifically related to the use of email addresses for marketing purposes, rather than any other form of processing.
BACKGROUND
After the implementation of GDPR in May, 2018, it will still be possible to send B2B emails, providing they are relevant to the recipient, who could reasonably expect to receive the information. For example, golf greenkeepers could reasonably expect to receive an email from the manufacturer of grass cutting machinery, telling them about a new product.
However, in order to use the email data, the sender will need to identify one of six legal bases for processing the data. The most appropriate basis for direct marketing is likely to be Legitimate Interests – According to the Data Protection Network Guidance, “GDPR says ‘the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest’. An organisation may wish to rely upon Legitimate Interests where consent is not viable or nor preferred and the Balance of Interests condition can be met. The GDPR states ‘may be regarded as…’ so organisations will still need to ensure they can establish necessity and balance their interests with the interests of those receiving the direct marketing communications”. For a link to the DPN’s Practical Guide for Businesses, please click here.
To rely on the Legitimate Interests clause, you need to conduct a Legitimate Interest Assessment. This procedure is outlined below, but we are happy to advise if you need help, and we can even carry out the process for you if you prefer.
The three key stages of the Legitimate Interest Assessment (LIA) are
- Identify a legitimate interest – for example, your business interests would benefit from sending a marketing message to carefully selected recipients, informing them of your products and services.
- Carry out a necessity test – Assess whether there is any other way of sending this information, other than by email. If there is another way (perhaps direct mail) but it would require disproportionate effort or expense, then processing the email data is necessary
- Carry out a balancing test – This involves the nature and impact of using the email data – it is important to establish that the recipient could reasonably expect to hear from you in relation to their job role, and that your interests in sending the email do not outweigh the interests or fundamental rights and freedoms of the recipient.
If you can demonstrate that you have carried out the assessment fairly, you will be able to rely on Legitimate Interests to send B2B marketing emails. As part of the process, it is important to keep a record of your decisions – the Checklist at the end of this newsletter will help to document the procedure.
EMAIL BRIEFING
To comply with the requirements of GDPR, B2B emails must comply with certain standards:
- It must be clear who the email is from
- The sender’s contact details must be clearly displayed
- The recipient must be informed that the legal basis for emailing them is Legitimate Interest
- The email must contain an unsubscribe link
- The recipient has the right to object to further emails, the right to correct their data, and the right to be forgotten. The email must contain sufficient information for these rights to be exercised, and the recipient’s wishes must be carried out
CHECKLIST FOR LEGITIMATE INTERESTS
Identify your Legitimate Interest
Can you demonstrate that your marketing email broadcast benefits your company’s interests?
Necessity Test
Is an email broadcast the most economical and efficient method of sending your marketing message?
Balancing Test
Could sending an email broadcast override the interests or fundamental rights and freedoms of the recipient?
Transparency
Does your email make it clear who it comes from, and contain adequate contact information?
Notification
Does your email inform the recipient that you are sending it under the Legitimate Interests clause?
Reasonable Expectations
Could the recipient reasonably expect to receive an email from your company in the conduct of their job role?
Relevance
Is your email marketing message relevant to the recipient?
Recipients’ Rights
Does your email clearly give the recipient the opportunity to object, to unsubscribe, to be forgotten or correct their data?
For a comprehensive checklist, see the latest ICO’s guidance
Although this process may seem complicated, it is important to complete and document it, in order to comply with the requirements of the GDPR when sending B2B email marketing. If you prefer, we can conduct the Legitimate Interest Assessment for you, and complete the Checklist, to ensure that your marketing emails are compliant after May 25th 2018.
If you need any further information, you can find further resources here