You can almost hear the "whoop" of joy around the DMA as it announces to members that the latest
guidance by the ICO on implementing GDPR
includes "legitimate interest" as a lawful alternative to outright consent.
As the organisation for direct marketers points out, this has been an issue that it
has raised with the ICO for quite some time now. The debate has raised a very interesting subject -- what other legal ways can an organisation process someone's data without explicit consent. It turns
out there are five other legal ways to process someone's data if consent is not possible or is not the most appropriate way of remaining GDPR-compliant. These generally tend to be where the processing
of data is vital to that person, is legally necessary, where there's an imbalance of power and so consent cannot be freely given, where it's necessary to perform a public function or where there is a
contact which stipulates you're going to process that person's data.
The issue of "legitimate interest" is a very interesting legal alternative to outright, freely given informed
consent, as denoted by an affirmative action -- that's pretty much how GDPR rules define consent. With legitimate interest the organisation has to be able to show that is in the interests of the
person or business concerned to have their data processed. Profit is not an issue here, as that is perfectly acceptable because the law acknowledges that most businesses are not driven by altruistic
aims when processing data.
In fact, it all comes down to having a "good reason" to process data, such as keeping or adding someone on an email marketing list. This good reason has to be
balanced against doing the person harm. The company processing the data must, the ICO stresses, be open and transparent, and not cause the third party any harm.
Now, when I read the
DMA's note about the ICO guidance, I have to admit I was a little bit sceptical. I thought the DMA was clutching at straws, but for companies who may find offering full consent is too difficult or not
appropriate, there is the alternative of "legitimate interest."
It sounds like a piece of the regulation that could be easily open to challenge as people try to claim that receiving direct
mail shots and email marketing is harmful to them -- but as it stands, if you have a reason to keep someone on your lists, and making money actually counts as one of those reasons, then you can claim
a legitimate interest. Presumably, still allowing someone to unsubscribe is a part of being accountable and transparent.
So I'm really not sure how to sign off here. The DMA had always said
there would be an alternative to the onerous process of repermissioning people to get a more detailed clear and unambiguous consent and, well, it turns out there is. I am no lawyer, so please don't
take my word for it. Read the guidance (pages 11 to 16 are particularly pertinent) and then have an expensive sit down with a lawyer and see what you conclude.
But as to whether there is a lawful
alternative to consent in being GDPR-compliant, the ICO is surprisingly stating that there clearly is.