GDPR – advice from the DMA


GDPR – advice from the DMA

John Mitchison

John Mitchison, Director of Policy & Compliance at the DMA, explains that GDPR isn’t just about consent and outlines his top tips to be ready for 25th May.

Reading the headlines in some of the marketing press in recent months, you could be forgiven for thinking that consent is the only option for many in our industry to process personal data. Many marketers mistakenly believe that consent is required to process personal data under the General Data Protection Regulation (GDPR). However, consent is just one of the two legal grounds likely to be used for marketing activities. Alongside this we have the equally valid Legitimate Interests, which continues to be all-too-often overlooked.

Strengthening of consent

The GDPR strengthens the standard for consent compared the existing Data Protection Act, meaning that for it to be valid the individual will need to have made a positive action. Under the new rules, Consent must include actively consenting to statements, whether in writing, orally or electronically. You must also use Consent if you plan to contact potential customers with whom you have had no prior interaction. Examples of this positive action are ticking a box when visiting a website or choosing technical settings for cookies on your internet browser.

Under the GDPR, consent cannot rely on silence, pre-ticked boxes or inactivity on the part of the consumer. By making a positive action, a consumer should be in no doubt as to whether or not they will be receiving marketing from your organisation, what sort of marketing and by what channel. Being clear and transparent is key.

What is Legitimate Interest?

This may mean marketers will find that using consent as a legal basis is not appropriate, instead opting to use Legitimate Interests, as the legal basis for their marketing activity. Direct marketing is recognised as a Legitimate Interest in recital 47 of the GDPR. Moreover, direct marketing can be regarded as a Legitimate Interest, depending on the context and what someone expects will happen with their personal data.

Before using Legitimate Interest as a legal basis for marketing, an organisation must carry out a robust Legitimate Interest Assessment (LIA). The Data Protection Network (DPN) working with the DMA and other trade associations recently published guidance detailing how to carry out an assessment. This is a risk-based approach, in which the marketer must balance their interests against the risks to privacy for the individual.

Be transparent with customers

Some organisations have opted for Consent as their preferred legal option due to its objective nature and many commentators have suggested that Consent is the only legal ground that a marketer should rely on. But Legitimate Interests is an equally valid ground for marketing activity and provides marketers with more flexibility to connect with customers.

It’s also important to reiterate that the legislation says there is no hierarchy and all legal grounds are equal. Meaning the decision to select Consent or Legitimate Interests for marketing activity should be made on what is best for your customers and your business, so long as your intentions remain transparent.

Therefore, Consent may well be the right choice for some activities and Legitimate Interests for others. This might even happen within the same transaction, but the guiding light throughout should be transparency with the customer. That’s what GDPR enshrines into law.

8 GDPR top tips

1. Raise awareness within your organisation.
2. Carry out a data audit.
3. Work out your legal basis for processing personal data.
4. Be clear with people why you are collecting their personal data and for what purpose.
5. Always use clear and concise language.
6. Give people control over their personal data.
7. Maintain a record of the decisions you take.
8. Train your staff.

John Mitchison

John Mitchison

Director of Policy & Compliance at the DMA


What do people really think - and know - about GDPR?