GDPR: ICO Brings Clarity to ‘Legitimate Interests’

By Yusef Sanei

GDPR is the acronym on everyone’s lips. With the implementation date of the regulations less than 2 months away we are reminded of its importance on a daily basis. From Cambridge Analytica scandals to new academic fields around data ethics and Elizabeth Denham’s warning last week around the dangers of Artificial Intelligence and data.

GDPR is quite rightly, permeating our social discourse which is why we wanted to provide you with a simple overview of the recent update from the Information Commissioner’s Office (ICO) around the most relevant of the six-lawful bases for B2B: Legitimate Interests.

Legitimate Interest gives businesses a certain flexibility or room for movement within the regulations. This is for several key reasons:

  • It does not impact individual privacy significantly
  • Individuals can reasonably expect businesses to target them
  • Due to the individual expecting a business to contact them, businesses do not need to hassle the individual with consent request after consent request

This being said, the legitimate interest clause shouldn’t be used as a flexible and default approach to your targeting. The specific context and reason for contact still needs to remain appropriate. This however, is in my opinion a blessing rather than a curse – it simply means you have to make sure your targeting is correct which will ultimately have a beneficial impact on your business.

The disadvantage of this is that you will have to guarantee and make clear the reason why you are contacting someone which can increase business work load, but again, you should have been doing this anyway as best practice.

The legislation around legitimate interests is dense, but as a general rule of thumb, consider these factors and all should be well:

  • Will the person I’m contacting expect me to contact them?
  • Will the person I’m contacting consider my marketing message a nuisance or does it have relevance?
  • Could the frequency of my communication have a negative effect on vulnerable individuals?
    •  For example, if my company is having financial difficulties and I am frequently targeted by high interest loan companies I could be coerced to take  a loan due to my vulnerable state.
  • Have I informed the individual that they have the right to object to me targeting them (Opt-outs)? If they do opt-out, then you cannot legitimately contact them.

If you ask yourself these questions, especially within the business to business setting, then it is very likely that the majority of your targeting and processing will come under the base of legitimate interest.

Still have questions about GDPR? Feel free to call or email now and we can show you how Stay Upstream can get you ready and raring to go ahead of 25th May.

Email or call Chris Finnegan – / 0203 861 4459


Please note that this article is written from writers point of view. The information herein does not replace qualified legal advice, and should not be taken as such. Please consult with legal experts if you would like further clarification.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s