I can’t have been alone in thinking that once GDPR deadline came around my inbox would be significantly less cluttered. The volume of opt-in emails I received (and ignored) led me to believe I’d see a drop-off after 25th May, yet a couple of months on, the state of my inbox is almost as appalling as it was pre-GDPR. But on what basis have these companies decided to continue holding my personal data and sending me their marketing emails?
According to the ICO, there are six lawful bases for processing an individual’s personal data. These are consent, as part of a contract, as part of a legal obligation, in ‘vital interest’ (to protect someone’s life), to perform a task in the public interest or for official functions, and finally, legitimate interest.
In the build-up to GDPR, it seemed that the majority of marketers were gaining consent using the double opt-in email method as a safe blanket cover. Yet, scrolling through my crowded inbox now I can only assume that the majority have continued to contact me on the base of legitimate interest, including that high street fashion retailer I bought a pair of jeans from once about five years ago. But what is it and in what circumstances does it apply?
Whilst the ICO states that no one lawful base is more superior than another, legitimate interest appears to be a little more flexible and does not require the individual to agree. Currently the ICO has offered no definitive guidelines to be taken into account when deciding whether your purpose falls under legitimate interest, but it has offered some examples, which include:
- When the processing is not required by law but is of a clear benefit to you or others
- When there’s a limited privacy impact on the individual
- When the individual should reasonably expect you to use their data in that way
- When you cannot, or do not want to, give the individual full consent requests when they’re unlikely to object to the processing
Whilst it appears that legitimate interest can be applied fairly broadly, businesses and organisations do need a clear and specific outcome or benefit in mind for their processing operation, such as a legitimate interest in marketing goods to existing customers to increase sales.
It’s likely that what constitutes legitimate interest will become clearer over time as cases are investigated and outcomes decided. Until then, the ICO recommends that companies apply the three-part test to ensure their legitimate interest is…well, legitimate.