Does GDPR Come With A 'Get Out Of Jail Free' Card?

Does the GDPR have the marketing equivalent of a "get out of jail free" card? That is a question that has been bugging me about the new data protection measures that will become law on May 25th next year. And -- spoiler alert -- I kind of think it does.

If you look at the headlines, the new law is famous for the massive fines of 4% of global revenue or €20m Euro fines it brings in as well as a far higher hurdle for consent, which will be opt-in and based on an informed decision that the consumer is free to reverse at any time. That's what is prompting people to go off repermissioning datasets to ensure they are stored, processed and acted on with each person's explicit, clearly marked, freely given, informed consent. Quite a mouthful. 

Now, to be clear, I think this is the best way to go because we are moving from digital marketing being a who's got the biggest list type of exercise to a landscape where data quality and trusting relationships are more important. So, spring cleaning lists to ensure that people really do want to hear from you is a courtesy that will slim those lists down, but will ultimately build trust and ensure that you are only speaking to people who want to be spoken to.

However, I thought it would be worth actually reading the parts of the law that marketers talk about frequently, but I suspect, rarely read.

So here you go -- let me cut and paste the relevant wording.

“Processing will be lawful if it is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of Personal Data, in particular where the data subject is a child.”

Give that a second read and it actually looks like the EU lawmakers have set the bar fairly low for marketers looking for an alternative to informed consent, doesn't it? A business needs to show its need to market itself to people is a legitimate interest -- a part of its everyday business. In other words, if you can show that you need to market to people to run and grow a business and that communication, on balance, is likely to do them more good than harm, then my reading is that you're in the clear. But remember, I am not a lawyer, and this is not even close to being legal advice.

Those in doubt might then like to take a look at the line that comes soon after in the law. I promise you that I have not made this up. This is what the law actually states:

“The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”

You can kind of see a lobbyist for the marketing industry not quite believing their luck that all the pressure paid off when that line was added, can't you? The DMA were lobbying intensely on this subject, so their huge celebrations around 'legitimate interest' are suddenly explained in a sentence. Direct marketing is plucked out of the air and specifically singled out as a 'legitimate interest.'

So, steer away from sensitive data (like religion, sexual orientation, political views, health record) and so long as you're sending out useful messages about the latest offers and upgrades, you can quite easily claim the information was more likely to be of benefit than cause the recipient any kind of harm.

Again, this is not legal advice, and my own opinion is that marketers are best off opening up a more honest and trusting relationship with customers and prospects by seeking out informed consent. However, for marketers with long lists that are unsure whether consent was gained in accordance with GDPR, it does look like 'legitimate interest' is a way to carry on.

1 comment about "Does GDPR Come With A 'Get Out Of Jail Free' Card?".
Check to receive email when comments are posted.
  1. Roy Smith from PrivacyCheq, October 27, 2017 at 3:26 p.m.

    I think it's worth pointing out that while Legitimate Interest is one of the six bases for processing data, it is not the complete "get out of jail free" card as the headline indicates. Perhaps the headline would be more accurately worded "get out of consent free" .. Here's why.

    Regardless of what basis you choose for processing, you are still required to notify the data subject of the legal basis you are using for getting their data, you still have to log the fact that you gathered the data (to be able to demonstrate your compliance if asked by a regulator), and you must provide the user with a convenient method to view your clear and understandable privacy notice (not your 8 page legal doorstop), stop your use of the data, get a copy of it, edit it, request total erasure, and to find out about your data breach.  Since the user can revoke their permission at any time using the above mentioned tool, you have to verify that your "Legitimate Interest" is still valid EACH TIME you use the private data that was captured.

    In other words, LI just gets you out of roadblocking user onboarding for consent. You still have to do everything else required by GDPR, which will require a non-trivial amount of IT effort.  Commercial disclaimer: My company offers a SaaS solution for all this required user interaction complexity. 

Next story loading loading..