A particularly notable area in the GDPR regulations includes a section about ‘legitimate interest’. This means data that falls within a legitimate interest may not require explicit consent. A person may not have to provide permission to be contacted, if they are considered a legitimate interest.
What does this even mean?
What The GDPR Actually Says About Legitimate Interest
Taken from the ICO:
Article 6(1)(f) gives you a lawful basis for processing where:
“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
Why is this important?
A Legitimate Interest Can Be Marketing
GDPR recital 47 states: “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”
You need to follow some rules, though!
First up, you must state in your privacy policy that you may consider legitimate interests within your communications policy.
You must process data in a way that does not override the interests of the individual. For example, you may need to process personal data to create customer behaviour analyses. You cannot then share this data without anonymising it first.
However, for marketing purposes, you may consider data to be of legitimate interest even if it seems it may conflict (but not override) the rights and interests of the individual.
You may even override these fundamental rights if you are working with personal data for a public interest task, such as sharing with Government agencies upon request.
You cannot use the argument of legitimate interest if there is another way to achieve the same outcome which is less intrusive. For example, if you want to process data on customer purchases to improve a ‘recommended products’ area of your website, this data can be anonymous without the need to process identifiable factors of the individual.
What Legitimate Interest Means For Direct Mail
Legitimate interest is more flexible than explicit consent. It may be, for example, that you have never previously sent direct mail campaigns (letters, flyers, postcards: any physical communication you send to customers), and therefore have not requested explicit consent to use personal data in order to carry out such a campaign.
However, when you start using data in a new way like this, it can be considered a legitimate interest. You just need to make sure you then provide an explanation when you send your direct mail campaign about how and why you’re using data the way you are.
For example, you could add a short line that says: “You’re receiving this letter because you’re a previous customer of MyComany and we wanted to let you know about cool stuff. If you don’t want any more letters, please email [email protected]”.
Another example is that of ‘recommended purchases’ on websites. This is a legitimate interest, as is can improve the buying experience of the consumer but does involve processing personal data in order to create these recommendations.
What Does This Mean For Your Mailing Database?
Having a legitimate interest means your direct mail game is about to rocket.
You can contact your previous and new customers using direct mail under the legitimate interest clause. You can do this as long as you explain why you’re using their data in this new way (to further engage and deliver a personalised buying experience, obviously!) and provide a way for them to opt out of future direct mail campaigns.
You don’t need explicit consent to send a direct mail campaign, as long as it is considered not detrimental to the individual’s interests.
This means you can reach those who have yet to opt into your marketing or re-engage with those who have not responded to a re-consent campaign.
(Of course, just remember to NOT contact people who have already explicitly opted out of direct mail communications!).
Ready to create a killer direct mail campaign to re-engage with your customers? Keep an eye out on tomorrow’s blog, which is all about making your flyers and leaflets GDPR compliant.