When GDPR legislation was first revealed, there was a significant increase in conversation about how this would affect the direct mail industry. With the new requirement for companies to gain ‘explicit consent’ from their customers in order to be able to send them future marketing materials and promotional correspondence, many saw this as a potential barrier to reaching a large portion of their customer base.
In January, the Information Commissioner’s Office confirmed that businesses who utilise direct mail within their marketing efforts will still be able to contact prospects and customers providing the communications fall into the category of ‘legitimate interests’, without the need to gain ‘explicit consent’, in order to contact consumers via post.
What is legitimate interest?
The term legitimate interest, in the context of GDPR and direct marketing, is the usage of an individual’s data in a way which they could ‘reasonably’ expect. This can only be through means which will have little to no impact on their privacy and is support by a justification for the use of the data.
When it comes to legitimate interest, businesses must be able to meet the three core reasons for processing data under this section of the legislation. Companies must be able to;
- Identify legitimate interest
- Demonstrate a necessity for processing the data
- Align the activity with the individual’s interest, right and freedoms
When using legitimate interest as a method for bypassing the content portion of GDPR, companies must ensure that the processing of the data is necessary and ensure that they have investigated alternative routes for achieving the same result with less intrusive methodology. Should the processing of data be unnecessary or the ability to achieve the same outcome through other means, the use of legitimate interest will not apply.
Examples of legitimate interest
Within GDPR, Article 6.1 defines the lawful grounds for a business to justify data processing under legitimate interest. These six provisions are as follows:
- Consent of the data subject
- The data requires processing as a necessary component for the data subject to enter a contract or for the performance of the contract
- The processing of the data is essential for legal obligation and compliance
- The processing of the data will protect vital interests of the subject or other people
- The processing of the data is vital to public interest or on behalf of an official authority vested in the controller
- The processing of the data is necessary for any legitimate interest by the data controller and/or a third party, with the exception of an occasions where it will be overridden by right, interests of freedoms of the data subject
The ICO have stated that they will be publishing further information, later in 2018, however they have also recently confirmed the move within a recently added frequently asked questions section on site. The section of the site includes the following statement, which comes as a welcome notice by a number of direct mailer reliant charities and businesses, and those companies that deal particularly in data and have made significant amends to overhaul practises in preparation for the legislation change.
“You won’t need consent for postal marketing…you can rely on legitimate interests for marketing activities if you can show how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object.”