Permission might not be good enough. To comply with GDPR the controller of personal data may be better off relying on legitimate interests.

Under the General Data Protection Regulation (GDPR), enforceable from May 25th, there are six lawful grounds for processing personal data:

• Consent of the data subject

• Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract

• Processing is necessary for compliance with a legal obligation

• Processing is necessary to protect the vital interests of a data subject or another person

• Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

• It is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.

Frankly, many of these lawful reasons are common sense – and only apply in very specific cases. But the rules concerning permission may not be common sense, because they require that the permissions freely given – and that is a grey area.

Instead many organisations – or the data controller – are relying on legitimate interests.

According to the ICO, the UK regulator responsible for enforcing data protection regulation in the UK, legitimate interests, ”can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.”

In other words, if the processing of personal data is in the interests of the data subject or third parties, it is legitimate.

The question of what is in the data subjects’ interests is of course a another matter entirely.

Presumably, in George Orwell’s 1984, authorities thought it was in the interest of people that big brother watched them.

In practice, the ICO says that the processing of the data must be necessary, meaning that if you can achieve the same results in a different way, then you should apply that different approach.

The ICO says that “you must balance your interests against the individual’s. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests.”

And it says that you must keep a record of your legitimate interests and explain them in your privacy notices.

But for the marketeers, it is interesting to note that “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”

Public sector data controllers can only apply legitimate interests if they are processing the data for a task other than for their function as a public authority.

To learn more about how legitimate interests can impact your business, visit the GDPR Conference Europe: Roadmap for Sales and Marketing on the 8th March.

By Michael Baxter, Editor, Fresh Business Thinking

GDPR Summit Series is a global series of GDPR events which will help marketers to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond. Further information and conference details are available at

comments powered by Disqus