GDPR legitimate interest and personalisation

Written by Jason Groom
  • Twitter
  • Facebook
  • Mail
  • Linkedin
Originally published
January 23 2018,

Illegitimate is a word that fortunately seems to have fallen out of everyday usage. Legitimate in the context of “interests” on the other hand…expect to hear that often in marketing circles as the 25th May GDPR deadline draws nearer.

The ICO guidance on GDPR legitimate interests has been long-awaited, not least because many were hoping it would allow them to circumnavigate the other seemingly more onerous legal grounds for processing;

  • Consent
  • Contract performance
  • Legal compliance
  • Protection of the subject’s vital interests
  • Performance in the public interest / exercise of official authority

We were keen to read the guidance too knowing that it would impact on us and our own marketing, but critically that of clients too.


What the ICO says

On the whole, the news seems good, especially for direct mail or “postal marketing”. Because, as long as a person’s data is not being used in a way they would find intrusive, or harmful - and of course that safeguards are in place to protect the data - then a simple test, a “Legitimate Interests Assessment” (LIA), is all that’s needed to demonstrate compliance and keep you on the right side of the regulations.

The ICO has done a good job in making its guidance clear and easy to understand. In a recent addition to the FAQs section of its website it stated,

“You won’t need consent for postal marketing…you can rely on legitimate interests for marketing activities if you can show how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object.”

 You can access the ICO’s guidance in full here and there’s a really useful and detailed paper from DPN on the subject too.



There’s no actual template for the LIA, as such, but it boils down to three essential elements and you’ll need to:

 1. Identify a Legitimate Interest: So, why do you want to process the data and what are you hoping to achieve by doing so, including the benefits and the importance of these.

 2. Carry out a Necessity Test: Does your processing further the interest identified above, and is it reasonable and the least intrusive method?

 3. Carry out a Balancing Test: Consider the impact of your processing and whether this overrides the interest you have identified.


Personalisation-worthy data

We’d go a step further. Your contact data obviously will need to be clean and up-to-date. But, if you’ve been thorough and analytical, you’ll know enough about your customers and prospects to prove beyond doubt that what you’re promoting and communicating to them will reflect as a minimum their;

  • Interests
  • Demographic
  • Purchasing behaviours and history
  • Preferred channels
  • Geographical location and language

And, if it does, the legitimate interest in question becomes no longer yours as the data controller but much, much, more importantly their legitimate interest as the recipient.


Take your pick

Consent is obviously always going to be the strongest of all the six legal grounds. Think of it as the Holy Grail when it comes to direct marketing to your contacts. If they’ve explicitly given you permission, you’ll not only be legally safe but also have the comfort of knowing that your messages are expected and ultimately welcomed.

Using personalisation and formulating messages that resonate will achieve the same effect, with the added benefit of it being proven to improve response rates as much as four-fold. And that has to be a winner!


GET IN TOUCH If you would like to know more. 

 We’ve also compiled a campaign GDPR checklist which you might like to use for each element of your direct marketing campaigns. DOWNLOAD CHECKLIST



MUST READ DISCLAIMER: Please know that this guide is our informed interpretation of the EU General Data Protection Regulation, and its effect on marketing. This is for informational purposes only and is designed to help you better understand the law and how it might affect your marketing. We are not lawyers. Nothing presented in this document is, or should be construed as legal advice. It may be necessary to consult your legal or compliance team for specific guidance regarding adherence to the law.

Let’s stay in touch

All our latest content on GDPR, Personalisation & Innovation delivered to your inbox a few times a month.

Related Articles

Did GDPR Kill Fundraising?

Did GDPR Kill Fundraising?

As 2018 dawned, and May’s GDPR deadline approached, marketers were worried. Were we to be...

Free guide to GDPR and getting it right

Free guide to GDPR and getting it right

We expect you’ve heard about GDPR; We’ve been blogging and talking about it for over two years...

GDPR Consent and “the re-permissioning dilemma”

GDPR Consent and “the re-permissioning dilemma”

Keeping track of your customers, members and supporters is a headache, even for the smallest of...