GDPR - legitimate interests vs. consent
Or – ‘Everything you wanted to know about choosing your basis for data processing but were afraid to ask’
The first step to getting GDPR compliant is doing a data audit and figuring out where you stand. Next, it’s time to decide how you’re going to manage your data, and more importantly – your relationship with your audiences – going forward.
You’ll need a ‘basis for processing’ – basically, a reason why you are doing something with someone’s data. This is where consent and legitimate interests come in.
There are six lawful basis for processing data under GDPR:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose. For example, they’ve signed up to your newsletter to receive marketing emails.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract. If a customer has bought a ticket to a show, you might email them to let them know it has been cancelled.
(c) Legal obligation: the processing is necessary for you to comply with the law.
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
The main ones cultural organisations will be using would be legitimate interests and consent.
Look at your marketing method
Before choosing a basis for processing, you’ll need to check your marketing method.
To make things more complicated there are two sets of regulation at play here. GDPR and PECR. PECR covers everything to do with marketing by email or text. Telephone communications are covered when calling is automated. It doesn’t include direct mail via post or most telephone calls.
So, if you’re working with an email or text marketing list, legitimate interests is not a valid basis for processing, and you’ll need to read on…
Email and text marketing
Under PECR, there are two ways to process data. Via consent, or via soft opt-in.
Consent under GDPR must be clear, use a positive opt-in (no pre-ticked boxes!) and easy to ‘opt-out’ from later. For more info, check out our consent check-list.
From the ICO's guidance on PECR:
You must not send marketing emails or texts to individuals without specific consent. There is a limited exception for your own previous customers, often called the ‘soft opt-in’.
If your organisation sells tickets, then soft-opt in is another option available. Soft opt-in can be used when a customer has bought a service or product from you, or negotiated a sale (they may have been part-way through buying tickets and left them in the basket). You have to give them to option to opt-out at the point of original data capture. Not only this, but you must give them the option to opt-out each time you send them an email after this. This isn’t so hard, as most email platforms (like Mailchimp) automatically include an unsubscribe link in the email footer.
For more information on this, check out our guide to getting your email marketing GDPR compliant.
Can you send marketing messages to company emails? In short, yes. If you are emailing a non-personal email address without a name (such as info@ or admin@). If not, you will need consent. However, you can still rely on the soft opt-in. For example, if a school class bought tickets from you before, you can still send marketing messages to the teacher, so long as you include an ‘opt-out’ or unsubscribe link in each subsequent email you send them.
Here's the official guidance from the ICO:
You can send marketing emails or texts to companies. However, it is good practice to keep a ‘do not email or text’ list of any companies that object.
Deciding on your basis for email marketing
We've put together a GDPR for email flow chart that will help you to decide whether you'll need to use consent or soft opt-in for your email marketing.
Post and Telephone Marketing
For post and telephone marketing (not automated) – we’re back to good old GDPR. You can choose legitimate interests or consent as your basis for processing here.
Here’s the ICO’s definition of ‘legitimate interests’:
Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
Legitimate interests is a balancing act between what your mission is as an organisation, and the privacy interests of the person whose data you are processing.
So, your arts centre wants to promote access to the arts in the local council area. But your council resident doesn’t want to be bombarded by irrelevant junk mail.
It’s all about what the person you’re contacting could ‘reasonably expect’. So, if I bought a ticket for a play in my local arts centre last year, then there’s a good chance I would be happy enough to receive their annual theatre events programme in the post.
However, if I had booked a ticket to a classical music concert and then the company sold my details to a third party and I start receiving marketing messages about buying a new car… that’s not something I would expect.
How to use Legitimate Interests
It's not enough to just decide you are going to use legitimate interests, you'll need to carefully consider if it is the appropriate data-processing basis for you.
If this all seems a bit wishy-washy, there is a clear procedure for deciding what data processing you can cover under legitimate interests - a Legitimate Interests Assessment (LIA).
This is a three-part test. You'll need to: identify a legitimate interest; show that the processing is necessary to achieve it; and balance it against the individual’s interests, rights and freedoms. The ICO breaks it down into the three stages:
1. Purpose test: are you pursuing a legitimate interest?
2. Necessity test: is the processing necessary for that purpose?
3. Balancing test: do the individual’s interests override the legitimate interest?
It needs to be applied for each type of data processing that you do. Here's an example of a legitimate interests assessment (scroll down to page 6).
You may need to use the consent basis instead of legitimate interests if your data processing has the potential to harm the individual, or you're working with children's data.
When you conduct these tests, save the tests and results in a spreadsheet, so you’ll always have evidence to back up your basis for using legitimate interests.
At the same time – make sure to note your different uses of data in your privacy notice too, if they’re not already there.
Which is better? Consent or Legitimate Interests?
If legitimate interests is appropriate to use in your organisation, it can be a great thing. You don’t need to rely on people to subscribe or consent, meaning you can market to more people or process more data.
Michael Nabarro, CEO and co-founder of Spektrix, recently spoke at our GDPR training events. Spektrix argue that;
"the types of processing arts organisations typically engage in have very minor negative impact to most customers – and in fact in the majority of cases it can be a positive one. On the scales of legitimate interest, you can easily make the argument that the majority of data processing activity by arts organisations falls under legitimate interest" - from the Spektrix blog
Just remember that you'll need perform a Legitimate Interest Assessment, and that you will still have to follow the PECR guidelines for marketing via email or text.
If you decide to go with the consent route, you’ll need to follow the general guidelines for consent. You could add in post or telephone marketing as options when people are signing up to your email marketing. The ICO recommend that consent be ‘granular’ – i.e. people don’t have to sign up to all or nothing. They can choose to consent to email, post or telephone marketing separately.
Note: This is intended to provide an overview of GDPR and is not a definitive statement of the law.
For a definitive guide, check out the Information Commissioner’s Office website.