GDPR and Legitimate Interests

GDPR and Legitimate Interest

GDPR (General Data Protection Regulations) allows six lawful bases for processing personal data.  Consent is one, but Legitimate Interests is another, and is more appropriate for B2B sales and marketing to potential clients.

Guidance from the Information Commissioner says that Legitimate Interests may be the most appropriate basis when:

“… the processing is not required by law but is of a clear benefit to you or others; there’s a limited privacy impact on the individual; the individual should reasonably expect you to use their data in that way; and you cannot, or do not want to, give the individual full upfront control (i.e. consent) or bother them with disruptive consent requests when they are unlikely to object to the processing.”

It is worth noting that direct marketing is described in the GDPR as an activity that may indicate a legitimate interest. 

However, the direct marketing must be legal; as it is legal for businesses to market to each other via contact with employees through post, email, SMS, and telephone calls (provided the number is not registered with the CTPS).

As part of our marketing policy, our Legitimate Interests Assessment is below:

Purpose of Processing

Inovra Group has a legitimate interest to process personal data relating to decision makers and budget holders in micro to large organisations in the UK.  The data is gathered from publicly available sources and directly from the companies concerned.

Lawful Business Objective
The purpose of processing is necessary in order for Inovra Group to market its products and services to potential and existing business clients.  Business-to-business marketing purposes is a lawful business objective as identified by the Privacy and Electronic Communications Regulations 2003 (PECR). Recital 47 of the GDPR identifies direct marketing as a legitimate use of personal information.
Reasonable Expectation
The data subjects are senior business people with decision-making and budgetary responsibilities and can reasonably expect to be contacted with marketing material relating to their professional roles.
Adequate, Relevant and Limited

The data collected is limited to names of senior managers and directors, their job titles, company addresses, company landline telephone numbers and corporate email addresses. If a person leaves their role, their name and contact details are deleted from the database. 

Opt Out
If a data subject requests that their data is removed from the database, it is suppressed so that it cannot be accessed or added again at a later date.
Valuable Service
In supplying high-quality best practice advice, Inovra Group provides a valuable service to businesses.  In the absence of Inovra Group and similar high quality service providers, businesses would have to rely on trial and error for their continuous improvement needs, which would have a detrimental effect on the success of their businesses and the wider economy.
Inovra Group has updated its Privacy Policy to show that we are relying on Legitimate Interests to process data.
You can read the Information Commissioner’s guidance on legitimate interests in full on the ICO website.