Improve marketing compliance - GDPR is here to stay

Consent Versus Legitimate Interest

Consent versus Legitimate Interest: for those planning GDPR strategies:

Demonstrating that there is ‘Legitimate Interest’ for you to send your email campaigns is one alternative to getting your email lists to ‘consent’ first.  BUT, it needs careful consideration and comes with risks attached.


Your Legitimate Interest Strategy may not be watertight and until the first prosecutions arrive it is uncertain how the ICO will interpret what is acceptable and what is not acceptable for direct marketing.

What is Legitimate Interest and how does it apply to Direct Marketing:

The GDPR says: An organisation may wish to rely upon Legitimate Interests as a justified reason for sending Direct Marketing Material where Consent is not viable or not preferred and the Balance of Interests condition can be met.

NOTE that the GDPR uses the terms “may be regarded as…”, so organisations will need to ensure they can establish necessity and balance their interests with the interests of those receiving the direct mail communications. In addition, the defined interests of the organisation must not be outweighed by the privacy rights and freedoms of individuals”.

What does that mean….Here’s an example of an organisation offering a clear balance of interest between parties and using Legitimate Interest to support Quarterly Direct Marketing mailshots. 

A charity sends an email to existing supporters that provides an update on its activities and details of upcoming events:

  • It deems it necessary to keep its supporters informed of how funds are spent
  • The balance of interest providing feedback about the success of  funded events and notice of future planned events is clear.
  • Clear evidence that individual’s data protection rights are observed is clear in the email footer and supporting on-line pages/forms

This scenario is very different to one where an organisation sends email promotions sporadically through the year for its own financial gain to an audience with no common profile and no prior purchase history. There is no balance of interest here….

If you want to rely on Legitimate Interest for processing Personal Data you must carry out an appropriate assessment, often referred to as a Legitimate Interests Assessment, or LIA. 

When carrying out this assessment, you must balance your right to process the Personal Data against the individuals’ data protection rights.

Here are some Guidelines and Next Steps:

  1. Read this Legitimate Interests Assessment template from the DMA and create your own equivalent document to (1) Identify and document your organisations ‘Legitimate Interest’, (2) Complete and document a Necessity Test for your organisation, (3) Complete and document a Balancing Test
  2. Update your privacy policy statements and email footers to include  Legitimate Interest clauses. You might include statements like this:
    • How do we use your personal information?  
      • We may process your personal information for our legitimate business interests. e.g. direct marketing, modifying or improving our services, determining the effectiveness of promotional campaigns and advertising, data analytics & enhancement). Click here to learn more about what we mean by legitimate interests (See examples below), and when we process your data for our legitimate interests. You have the right to object to this processing if you wish and if you wish to do so please click here.
        • Legitimate Interest Assessment Summary:
          • Example 1 – We have an interest in informing business professionals about marketing and sales practices that achieve good results. This may include: sharing ideas with individuals about: campaigns, best practice approaches and success stories
          • Example 2 – We have an interest in making sure our marketing is relevant to individuals, so we may process your information to send you marketing that is tailored to your interests and industry.
          • Example 3 – Data processing enables us to enhance, modify, personalise or otherwise improve our services & communications for the benefit of our customers and wider target audience.
          • Example 4 – Data processing helps us to determine the effectiveness of our campaigns and advertising.
  3. Update your sales scripts and database structures to capture information around ‘interest’, communication preferences & permissions, use of /access to / recency of data and privacy
  4. Assess carefully whether the individual records on your current database were told ‘why and how’ their information would be processed when it was first collected/last updated. And can you evidence this? If not – you may need to re-communicate your ‘purpose and legitimate interest’ in order to continue hosting the data. If data originates from a 3rd party data provider – this purpose statement was probably NOT made clear or evidenced at the time, so be watchful of this.


  Request a Call

Watch our call teams get data lists GDPR ready – online demo

Why change plans for new Regulations

How to fast-track GDPR preparations

Are you GDPR Ready?

Ready-made opt-in programs

Back to GDPR Page