• by Sean Hargrave , Staff Writer, January 25, 2018

We're starting to get into panic season on GDPR, and I must admit I always allow myself a wry smile when I read the sensationalist headlines. Sure, it's a new set of regulation that must be adhered to, but I'm still not sure where all the panic is coming from.

There's a decent article in Campaignthis morning that is informative and from a legal eagle, so it's someone who knows what they're talking about. However, it falls right into the trap that all articles on GDPR appear to follow. It talks about consent with just a side mention of legitimate interests (LI). For those not in the know, these are the two main legal bases that marketers will be choosing between to make their personally identifiable data legal.

The Campaign article mentions LI but it gets no more than that, and is immediately followed by a few paragraphs outlining consent and how the barrier has been raised.

Why is everyone avoiding the thing marketers want to hear most about? LI is just as legal as consent, but it does come with a balancing test. You basically need to examine whether a person's data privacy is infringed by a brand processing their data. Red lines to watch out for would be whether the data is sensitive, such as sexual orientation, religion, political affiliations and so on. Legal advice should be sought, of course, for I am not a lawyer.

Marketing groups, particularly the DMA, celebrated LI's inclusion in GDPR alongside consent for good reason. It means existing lists can be brought into the GDPR landscape without repermissioning. Now, many would argue, what is the point of long lists of disengaged customers when a permissioning exercise would give databases more focus? It's a good point, but it's not a legal requirement. 

I recently was accused of getting GDPR wrong in a Twitter debate around a previous London Blog. My detractors admitted they could find nothing wrong with the article, nor the headline, and soon changed the subject. 

Here's the inconvenient truth about GDPR for those who still contend it is all about consent -- it is not. There -- that was pretty simple, wasn't it?

LI is just as legal as consent, and the rules that govern the use of data in digital marketing are known as PECR (yes American friends, that really is how it's pronounced). This will be replaced by the ePrivacy Regulation in a year or two. The current law has a soft opt-in mechanism through which customers you have a relationship with can be marketed to as long as they didn't take the option to opt-out when they gave up their personal information. I've checked the wording of the draft Regulation that will replace the current law, and there's something very similar in there too.

So before you jump off a cliff and decide your marketing lists are worthless, pay less attention to the doom merchants. Get out there checking LI, such as this blog from the ICO which very clearly reminds marketers that consent is not a "silver bullet."

I am in no way passing on legal advice here -- let's be really clear about that. What I am saying is, don't follow the mistake of many marketing writers and overlook whether LI might be a more suitable legal basis for personal data processing. Don't forget you can then legally market to someone using that data on digital channels as long as they had the option to opt out when the details were taken. 

This is not the PC view -- it's not what you'll usually read about. But take a look at the laws concerned, and take a look at the regulator, the ICO, and the DMA while you're at it. See what the guys overseeing all this say and some of the panic just might be alleviated.

I'm not suggesting for one moment that GDPR changes nothing and there's no work to be done. What I am saying is that it changes a lot less than you may think when it comes to your marketing databases and lists. There are added complications dealing with third-party lists and using data to target people in digital display and social media advertising. That's an area you may well need to take more detailed legal advice on in addition to hoping the likes of Facebook and Google know how to be compliant.

Privacy notices will have to updated and consumers need to be told how they can check what data is stored on them and ask for it to be corrected or deleted as well as asking for it not to be used for marketing and/or automated profiling. 

However, if you want panic, you'll have to look beyond this blog. if you want some reassurance that the sky is not falling in, go check out those official, aforementioned sources to see what the lay of the land really is -- not what you may have been led to believe it is.