GDPR: ICO Brings Clarity to ‘Legitimate Interests’

By Yusef Sanei

GDPR is the acronym on everyone’s lips. With the implementation date of the regulations less than 2 months away we are reminded of its importance on a daily basis. From Cambridge Analytica scandals to new academic fields around data ethics and Elizabeth Denham’s warning last week around the dangers of Artificial Intelligence and data.

GDPR is quite rightly, permeating our social discourse which is why we wanted to provide you with a simple overview of the recent update from the Information Commissioner’s Office (ICO) around the most relevant of the six-lawful bases for B2B: Legitimate Interests.

Legitimate Interest gives businesses a certain flexibility or room for movement within the regulations. This is for several key reasons:

  • It does not impact individual privacy significantly
  • Individuals can reasonably expect businesses to target them
  • Due to the individual expecting a business to contact them, businesses do not need to hassle the individual with consent request after consent request

This being said, the legitimate interest clause shouldn’t be used as a flexible and default approach to your targeting. The specific context and reason for contact still needs to remain appropriate. This however, is in my opinion a blessing rather than a curse – it simply means you have to make sure your targeting is correct which will ultimately have a beneficial impact on your business.

The disadvantage of this is that you will have to guarantee and make clear the reason why you are contacting someone which can increase business work load, but again, you should have been doing this anyway as best practice.

The legislation around legitimate interests is dense, but as a general rule of thumb, consider these factors and all should be well:

  • Will the person I’m contacting expect me to contact them?
  • Will the person I’m contacting consider my marketing message a nuisance or does it have relevance?
  • Could the frequency of my communication have a negative effect on vulnerable individuals?
    •  For example, if my company is having financial difficulties and I am frequently targeted by high interest loan companies I could be coerced to take  a loan due to my vulnerable state.
  • Have I informed the individual that they have the right to object to me targeting them (Opt-outs)? If they do opt-out, then you cannot legitimately contact them.

If you ask yourself these questions, especially within the business to business setting, then it is very likely that the majority of your targeting and processing will come under the base of legitimate interest.

Still have questions about GDPR? Feel free to call or email now and we can show you how Stay Upstream can get you ready and raring to go ahead of 25th May.

Email or call Chris Finnegan – / 0203 861 4459


Please note that this article is written from writers point of view. The information herein does not replace qualified legal advice, and should not be taken as such. Please consult with legal experts if you would like further clarification.



GDPR: Top Five Questions Answered

By Yusef Sanei

With #DeleteFacebook erupting throughout the Twittersphere due to the Cambridge Analytica scandal, data and data transparency has been dragged into the spotlight. Data is personal, political and profitable which makes the impending GDPR implementation more relevant than ever.

Over the past year or so, much of the GDPR coverage has been scaremongering sensationalism, focusing almost entirely around the hefty fines that businesses could potentially be made to pay. The Cambridge Analytica scandal that is still unfolding before us highlights that data, and indeed GDPR is not the product of an overly bureaucratised European Union who are consumed by tangling us in a web of regulations. Rather those regulations are in place to ensure the protection of the individual and the business.

That being said, GDPR is complex and still raises many questions. In light of this we have compiled a list of the most common questions we get asked on a daily basis, in an attempt to bring some clarity to the situation.

Are B2B emails addresses considered personal data?

The short answer to this is both Yes and No. Any B2C data, or email addresses of sole traders, under the ICO’s Direct Marketing Checklist, are considered personal data. Upstream only holds personal business emails (B2B email addresses), which can still be marketed to under the new GDPR changes, however, must be contacted with “legitimate interest” and given a clear opt-out.

Article 6(1)(f) gives you a lawful basis for processing where:

processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

Will GDPR stop me from telemarketing?

Again, the answer is as above. Keep your calling focused and most of all relevant. You can use the legitimate interest reasoning to have a lawful basis to call someone, but it is being advised that you give contacts an opt-out option when calling. Something as simple as, “Would you mind if I contact you again in the future?”, will help with this, just be sure to record all previous conversations and make it clear where people no longer want to be contacted again.

With Brexit, we don’t need to worry about GDPR as we live in the UK and contact UK companies?

The UK Government themselves have confirmed that GDPR will still apply to the UK even after Brexit. After Brexit, there may be one or two changes to the current GDPR legislation, however, the guidelines set out by GDPR and the new ePrivacy Regulation will be used as a tight guideline for the UK, so do not expect anything to change anytime soon!

Even if we don’t comply, does it really matter? These are surely only guidelines, not actual laws.

Just to be clear, GDPR is being set out as a legal requirement for anyone processing data within Europe. Failure to meet with these can be met with hefty fines of up to 4% of the companies worldwide turnover or €20 million (whichever is greater). In the UK, the ICO (Information Commissioner’s Office) will be in charge of issuing any fines within the UK.

Does GDPR mean I need to delete all of the current contacts in my database/CRM?

Wetherspoons may have deleted their entire database, but you don’t have to! What will be paramount, is to ensure your database is as accurate and up to date as possible. This means going through all of your records and ensuring that they are not only correct but making sure it is everyone’s responsibility in your organisation to keep these up to date going forward. The only time you will need to delete a contact is when they request to do so, under Article 17 of GDPR which gives everyone the right to be forgotten.

Do all of our contacts have to opt-in?

Whilst it is best practice to have your contacts already opted in, Article 6 means that any direct marketing does not have to be consent based. However, if you are using GDPR’s own terminology of ‘legitimate interest’ to market directly to contacts, be sure to make sure that your messaging is relevant to the recipient, has a clear opt-out from further communications and that you then record specifically the outcome of the communication e.g. the time/date of their opt out if they requested.

We hope this sheds light on some of your concerns and highlights that GDPR is not the doomsday some would suggest but rather a reminder to all business to implement best practice. If there is one thing we should take away from this week’s events concerning Cambridge Analytica, it’s that data regulations should be taken seriously and businesses, irrelevant of size, should ensure they follow these necessary regulations for the protection of themselves and the individual.

Still have questions about GDPR? Feel free to call or email now and we can show you how Stay Upstream can get you ready and raring to go ahead of 25th May.
Email or call Chris Finnegan – / 0203 861 4459

Please note that this article is written from writers point of view. The information herein does not replace qualified legal advice, and should not be taken as such. Please consult with legal experts if you would like further clarification.


Movers and Shakers

It’s hard to keep track of all the changes and the latest Movers & Shakers. Each week, our team at Upstream provide a round up of the new appointments to help you stay ahead.

Here are this week’s Movers and Shakers we recommend that you keep an eye on:

Jess Christie, former Director of PR & Communications at Matches Fashion has been promoted. She has taken on her new role as Chief Brand Officer. One of her biggest projects this year will be the launch of 5 Carlos Place- the brand’s new space in Mayfair.

Aston Martin has promoted Gerhard Fourie from Director of Brand Strategy to Director of Marketing and Brand Strategy. His new role will include the added responsibility for global marketing, CRM and launch planning.

Kara Keough has been promoted at JLL (Jones Lang LaSalle). She has moved from Director of Brand and Campaign Strategy to her new role of Global Marketing Director, Brand.

Shane Hoyne has left Bacardi where he was Chief Marketing Officer- Europe. He has moved to Quintessential Brands where he has taken the same role as Chief Marketing Officer.

Former Marketing Director of Topman, Jason Griffiths has been promoted to Group Brand Communications Director of Arcadia Group.

Harvey Nichols have appointed Deborah Bee as their new Group Marketing and Creative Director. She has left Eco-Age where she was formerly Brand Director.

If you would like to keep up to date on the latest movers & shakers as they happen each day, then you can stay ahead with our data and insight platform Stay Upstream. Click here to find out more.