GDPR, Legitimate Interest and
14/11/2018 The Great British Business Show 1
• Project Fear
– A few of the scare stories
– GDPR or PECR, some confusions
– Informed Consent and Legitimate Interest
• Direct Marketing Tips
– Email campaigns
– Postal Direct Mail
• Do’s and Don’ts
14/11/2018 The Great British Business Show 2
Remember the objective of the
legislation is to protect people’s
privacy and personal information
14/11/2018 The Great British Business Show 3
General DATA PROTECTION
PRIVACY and Electronic
14/11/2018 The Great British Business Show 4
Project Fear – Consultants Delight!
“ICO fines firm £90,000 for
There are a number of aspects to this case but
primarily the fine was due to the fact that a
personal email address is considered to be
private. Usage of that address is therefore
covered by PECR.
14/11/2018 The Great British Business Show 5
Some questions (and answers)
• What is double opt-in?
– Despite what some people say this is NOT a requirement in the UK, although it is in other parts of Europe. Double opt
in was a ‘standard’ developed in the market research industry in the US in order to claim that people had agreed to
provide responses to frequent surveys. Single opt-in was insufficient evidence that people had agreed to continue to
supply information on a regular basis. The double opt in was confirmation that I have agreed to reply to you. NOT
that I have agreed to read what you send.
• Can I still market to my customers?
– Yes, by all means (email , telephone & post) if they are business customers (except for some sole traders)
– Only by post if they are consumers, unless you have consent for phone and email contact (real or implied)
• How do we get people to opt-in?
– Whatever method you use do NOT offer any specific incentive that would not be available to others not opted in!
• Can you still email people who give you their business cards at an exhibition?
– Yes (despite frequent advice to the contrary)
• Do we have to have consent to email generic email addresses (info@etc?)
– No, the GDPR only applies to personal data. Therefore if the email address you hold isn’t related to a person you can
process it. However, if it is personally identifiable then you need consent.
• Will we still be affected once the UK leaves the EU?
The primary point about each of these questions is that they all refer to electronic
communications and are covered by the PECR (Privacy and Electronic Communications
Regulations) NOT directly by the GDPR and are not related to Postal Direct Mail
14/11/2018 The Great British Business Show 6
GDPR Confusions - 1
• The English department need to identify
potential students arriving for the entrance
test, and have asked the recruitment team for
full names and date of birth to corroborate
with an official form of ID.
• The problem we have is that the recruitment
team are digging their heels in, saying that
they "can't" give this information to the
English department "because of GDPR".
14/11/2018 The Great British Business Show 7
GDPR Confusions - 2
• Is putting a ‘reward chart’ for children (in this case in a
primary school) on a classroom wall a breach of data
protection? Children get ‘points’ for behaviour, effort,
etc. and these are logged against their name on a
• My thoughts are that the school could claim legitimate
interests for this processing, but is display of the
information necessary? The information could easily be
conveyed privately on an individual basis to either the
child or the child's parents. Is visibility to other children
more necessary than visibility to their parents? What
are the expectations of confidentiality on the
14/11/2018 The Great British Business Show 8
GDPR Confusions - 3
• The HR department discovers that John Smith
may have contracted an infectious disease whilst
on an assignment in Africa.
• It writes to John setting out its concerns and
asking him to contact the medical service before
returning to college in October. The letter is sent
to the wrong John Smith. John’s condition is not
• Is this personal data breach notifiable to the
14/11/2018 The Great British Business Show 9
GDPR Confusions - 4
Some Advice (?):
If you are buying a ‘consented’ marketing list, the
consent request must have identified you specifically.
Even precisely defined categories will not be enough
to give you valid informed consent under the GDPR
definition. You must keep records to demonstrate
what the individual has consented to, including what
they were told, and when and how they consented.
True for consumer email or telephone list ONLY
14/11/2018 The Great British Business Show 10
• A client asks for proof of consent:
“how can you demonstrate that an individual has consented to
you processing their data for a particular purpose. This must
include when the consent was obtained, who obtained it, in
what context and time limit after which consent automatically
• Unfortunately you should not provide this
information to anyone other than the individual
themselves, because it is considered to be personal
data and should not be released unless the individual
has provided consent for you to do so. Of course,
such information can be provided to the individual
themselves in response to a Subject Access Request.
14/11/2018 The Great British Business Show 11
The 6 justifications for processing
• Consent: the individual has given clear consent for you to process their personal
data for a specific purpose.
• Contract: the processing is necessary for a contract you have with the individual.
• Legal obligation: the processing is necessary for you to comply with the law
(not including contractual obligations).
• Vital interests: the processing is necessary to protect someone’s life.
• Public task: the processing is necessary for you to perform a task in the public
interest or for your official functions, and the task or function has a clear basis in
• Legitimate interests: the processing is necessary for your legitimate interests
or the legitimate interests of a third party unless there is a good reason to protect
the individual’s personal data which overrides those legitimate interests.
Justification for any direct marketing activity is either Legitimate
Interest or Consent (normally known as Informed Consent).
14/11/2018 The Great British Business Show 12
• The consent should be explicit in respect of what
the data subject has agreed to.
– This is interpreted as implying that direct marketing
should only rely upon consent as a lawful purpose,
when the individual has opted in to receive
communications from the sender and on the topic
– Implied consent is possible but should not be relied
upon without careful consideration. For example BT
might be okay to email their phone subscribers about
the phone service but NOT about their TV service, not
without explicit consent.
14/11/2018 The Great British Business Show 13
ICO fines firm £90,000 for nuisance
• The Information Commissioner found Boost, Finance Ltd (BFL) responsible for
millions of nuisance emails about pre-paid funeral plans.
• Trading as findmeafuneralplan.com, BFL was behind 4,396,780 emails sent to
people who had subscribed to websites operated by BFL’s affiliates, but who had
not given their consent to receive them.
• The ICO investigation found that :
o In all but one of the websites, it was not made obvious who the emails were from.
The majority of the websites did not provide subscribers with the opportunity to opt out of
o third party marketing . It was BFL’s responsibility to ensure they had valid consent to send
o The investigation found that BFL relied upon inadequate and misleading methods to collect
personal data to obtain consent and that consent was not sufficiently informed and
therefore breached the Privacy and Electronic Communications Regulations (PECR).
o Consent is not informed if people do not understand what they are consenting to.
Organisations should always ensure that the language they use is therefore clear, easy to
Andy Curry, ICO Enforcement Group Manager, said:
“Companies seeking to use email marketing must make sure they follow the law. People would
particularly expect this to be so when the subject may be perceived as sensitive”
14/11/2018 The Great British Business Show 14
Email to Businesses
(Extract from the PECR)
• These rules on consent, the soft opt-in and the right to opt out do not apply to
electronic marketing messages sent to corporate subscribers’ which means
companies and other corporate bodies e.g. limited liability partnerships, Scottish
partnerships, and government bodies. The only requirement is that the sender
must identify itself and provide contact details.
• However, it serves little purpose to send unsolicited marketing messages to those
who have gone to the trouble of saying they do not want to receive them.
• Corporate subscribers do not include sole traders and some partnerships who
instead have the same protection as individual customers. If an organisation does
not know whether a business customer is a corporate body or not, it cannot be
sure which rules apply. Therefore we strongly recommend that organisations
respect requests from any business not to email them.
• In addition, many employees have personal corporate email addresses and
individual employees will have a right under section 11 of the DPA to stop any
marketing being sent to that type of email address.
14/11/2018 The Great British Business Show 15
Scott Marketing – A Case Study
• Scott Marketing’s primary business is to organise
postal campaigns aimed at parents of young
people with the objective of recruiting them to a
local school or higher educational establishment.
• Our client was concerned about the Impact of
GDPR upon his marketing activities and ordered
an email campaign aimed at persons responsible
for entrants within schools and universities.
• The objective was to reassure prospective
customers and send them to the client website.
14/11/2018 The Great British Business Show 16
The Campaign Starts
Good, Dependable, Proven, Reliable
data for student recruitment
Choose us for 100% safe GDPR education data
14/11/2018 The Great British Business Show 17
• For the next part of the campaign we wished
to test various aspects.
– The value of social media to this target audience
– Headline or Logo at the top
– The ‘style’ of the communication
o Whether the language is direct or ‘softer’
• Hence the A / B Test sent to Independent
14/11/2018 The Great British Business Show 18
Want to attract new pupils to your
Even in education, it's not always what
you know - it's sometimes who you
In direct marketing, it's not what Come to us for direct mail to target parents by:
It's who you know Household Income
That's why we target the parents of your future pupils by... and Postcodes
Find out how it works
Children's Parents' Area
Ages Income Postcodes
14/11/2018 The Great British Business Show 19
• The only Social Media which seems to
influence this target audience is Facebook.
• Placing the Headline above the logo is
preferable when communicating to new
• No conclusion was reached on whether the
different style had any effect.
So two more examples…
14/11/2018 The Great British Business Show 20
GCSE Results Time – Direct Marketing Time
Results change everything –
14/11/2018 Helping you contact parents and pupils to 21
make decisions on their future education
A strategically timed direct mail campaign can help
choose which university, college or sixth form – at just
the right time.
Find Out More
The Great British Business Show
Is Print the New Vinyl?
Everything’s digital now… websites… social
media… your contacts… your friends… your
14/11/2018 Except…like vinyl, there’s been a 22
recent massive resurgence in print.
Even in today’s digital age, everyone enjoys printing
their photographs. Families pass printed literature
around. Unlike an email or a social media post, print
gets looked at again and again…
Just as digital music took over our lives, DJs started spinning
discs. Today’s teenagers think vinyl is cool and back to stay.
The Great British Business Show
• Our Client sells a range of aprons for
professional use. There is a wide variety of
potential customers ranging from restaurants,
through bakers and butchers to blast furnace
• As before the objective of the campaign is to
drive new prospects to the client’s website.
14/11/2018 The Great British Business Show 23
Meet your Stalwart life partner… an
apron you can trust
Meet the One...
Your companion for life
14/11/2018 When you put on a Stalwart apron for the first time, you’ll 24
know it’s the one for you. Its clean lines glide over your body,
it looks good, feels good and works perfectly alongside you.
The Great British Business Show
What about Consumers?
• Evidently, it is not advisable to send emails to
consumers without specific consent, even to
your customers it can be dangerous. You must
consider the risk and the need.
• However, postal communications are all okay.
A postal address is not considered to have the
same level of privacy as an email. Particularly
if the address is published on the electoral
14/11/2018 The Great British Business Show 25
GDPR – Legitimate Interest
• Legitimate interests is the most flexible of the six lawful bases. It is not
focused on a particular purpose and therefore gives you more scope to
potentially rely on it in many different circumstances.
• It may be the most appropriate basis when:
• the processing is not required by law but is of a clear benefit to you or others;
• there’s a limited privacy impact on the individual;
• the individual should reasonably expect you to use their data in that way; and
• you cannot, or do not want to, give the individual full upfront control (ie consent) or
bother them with disruptive consent requests when they are unlikely to object to
• There may also be occasions when you have a compelling justification for
the processing which may mean that a more intrusive impact on the
individual can be warranted. However in such cases you need to ensure
that you can demonstrate that any impact is justified.
• The legitimate interests basis is likely to be most useful where there is
either a minimal impact on the individual, or else a compelling justification
for the processing.”
14/11/2018 The Great British Business Show 26
So – Is Print the new vinyl?
• We never stopped loving print. There’s something about the
colours and life of a printed postcard, leaflet or brochure that
feels bright and real.
• Printed literature has a long life. It gets passed around,
considered and stays at home for everyone to see. Print isn’t
dead, digital didn’t kill it, because print offers style and
• Take a look at these facts from Royal Mail:
– As a direct result of receiving postal mail, 86% of people say they’ve
connected with a business online
– 36% of people have bought or ordered as a result of receiving direct
marketing postal mail in last twelve months
– 70% of consumers think better of brands that send a direct mail postal
campaign – and feel more valued
*Extracted from a Blog published on the Scott Marketing Website
14/11/2018 The Great British Business Show 27
Final Do’s and Don’ts
• If sending an email ALWAYS allow an opt out and
keep a record of those who opt out and avoid
sending any further communication unless it is
• Do ask your customers to opt in to receive emails
and avoid sending general marketing emails. Do
NOT offer any incentive to opt in.
• When using Legitimate Interest be sure to
evaluate the risk? Is there any potential harm for
14/11/2018 The Great British Business Show 28
With thanks to:
and my colleagues at
14/11/2018 The Great British Business Show 29