If you look at the headlines, the new law is famous for the massive fines of 4% of global revenue or €20m Euro fines it brings in as well as a far higher hurdle for consent, which will be opt-in and based on an informed decision that the consumer is free to reverse at any time. That's what is prompting people to go off repermissioning datasets to ensure they are stored, processed and acted on with each person's explicit, clearly marked, freely given, informed consent. Quite a mouthful.
Now, to be clear, I think this is the best way to go because we are moving from digital marketing being a who's got the biggest list type of exercise to a landscape where data quality and trusting relationships are more important. So, spring cleaning lists to ensure that people really do want to hear from you is a courtesy that will slim those lists down, but will ultimately build trust and ensure that you are only speaking to people who want to be spoken to.
However, I thought it would be worth actually reading the parts of the law that marketers talk about frequently, but I suspect, rarely read.
So here you go -- let me cut and paste the relevant wording.
“Processing will be lawful if it is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of Personal Data, in particular where the data subject is a child.”
Give that a second read and it actually looks like the EU lawmakers have set the bar fairly low for marketers looking for an alternative to informed consent, doesn't it? A business needs to show its need to market itself to people is a legitimate interest -- a part of its everyday business. In other words, if you can show that you need to market to people to run and grow a business and that communication, on balance, is likely to do them more good than harm, then my reading is that you're in the clear. But remember, I am not a lawyer, and this is not even close to being legal advice.
Those in doubt might then like to take a look at the line that comes soon after in the law. I promise you that I have not made this up. This is what the law actually states:
“The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”
You can kind of see a lobbyist for the marketing industry not quite believing their luck that all the pressure paid off when that line was added, can't you? The DMA were lobbying intensely on this subject, so their huge celebrations around 'legitimate interest' are suddenly explained in a sentence. Direct marketing is plucked out of the air and specifically singled out as a 'legitimate interest.'
So, steer away from sensitive data (like religion, sexual orientation, political views, health record) and so long as you're sending out useful messages about the latest offers and upgrades, you can quite easily claim the information was more likely to be of benefit than cause the recipient any kind of harm.
Again, this is not legal advice, and my own opinion is that marketers are best off opening up a more honest and trusting relationship with customers and prospects by seeking out informed consent. However, for marketers with long lists that are unsure whether consent was gained in accordance with GDPR, it does look like 'legitimate interest' is a way to carry on.