Expertise in handling, managing and securing documents

MYTH: As a business owner, I can no longer cold call or email perspective customers. WRONG!

This isn’t actually the case, however, you will need to be more careful with the personal data you process. GDPR, however, doesn’t make cold emailing or calling illegal. GDPR regulates how we can process personal data. When sending a cold email to an employee at firstname.surname@, you process his/her personal data. Hence, you need to respect GDPR and its principles. Article 6(1)(f) gives you a lawful basis for processing where:

“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

This can be broken down into a three-part test:

  1. Purpose test: are you pursuing a legitimate interest?
  2. Necessity test: is the processing necessary for that purpose?
  3. Balancing test: do the individual’s interests override the legitimate interest?

How can you apply legitimate interests in practice?

The ICO website has the following outline on how to assess whether you can rely on Legitimate Interests. The ICO refer to this as a legitimate interests assessment (LIA) and you should do it before you start the processing.

An LIA is a type of risk assessment based on the specific context and circumstances. It will help you ensure that your processing is lawful. Recording your LIA will also help you demonstrate compliance in line with your accountability obligations under Articles 5(2) and 24. In some cases an LIA will be quite short, but in others there will be more to consider.

First, identify the legitimate interest(s). Consider:

  • Why do you want to process the data – what are you trying to achieve?
  • Who benefits from the processing? In what way?
  • Are there any wider public benefits to the processing?
  • How important are those benefits?
  • What would the impact be if you couldn’t go ahead?
  • Would your use of the data be unethical or unlawful in any way?

Second, apply the necessity test. Consider:

  • Does this processing actually help to further that interest?
  • Is it a reasonable way to go about it?
  • Is there another less intrusive way to achieve the same result?

Third, do a balancing test. Consider the impact of your processing and whether this overrides the interest you have identified. You might find it helpful to think about the following:

  • What is the nature of your relationship with the individual?
  • Is any of the data particularly sensitive or private?
  • Would people expect you to use their data in this way?
  • Are you happy to explain it to them?
  • Are some people likely to object or find it intrusive?
  • What is the possible impact on the individual?
  • How big an impact might it have on them?
  • Are you processing children’s data?
  • Are any of the individuals vulnerable in any other way?
  • Can you adopt any safeguards to minimise the impact?
  • Can you offer an opt-out?

You then need to make a decision about whether you still think legitimate interests is an appropriate basis. There’s no fool proof formula for the outcome of the balancing test – but you must be confident that your legitimate interests are not overridden by the risks you have identified.

So how does this leave your inhouse marketing and sales teams? Taking into account the GDPR and e-Privacy Directive, it does seem sufficient to offer an opt-out when engaging in direct marketing via e-mail or telephone This means that consent is not strictly needed. However, the e-mail must concern a “similar service or product” or the recipient must have a legitimate interest in your product.

In all other cases, it is definitely safer to work with an opt-in system consistent with the GDPR. This may be a bit onerous at first, but it is also the path of least resistance. And be sure to keep an eye on developments around the e-Privacy Regulation!

If you want to read more about how the GDRP will affect you and your business with regards to email and telephone marketing, find out more here

Can’t find something you need to know? Get in touch with us

We strive to give you the best knowledge and expertise, drop us a message and our team will respond to your enquiry as soon as possible