News and opinions

Legitimate interests – when you can you use it?


Whether you are sending marketing communications to people or fundraising, in the world of GDPR, it is essential to be clear which legal ground you are using for processing data and contacting people. The Institute of Fundraising (IoF) explains more about these legal grounds in its GDPR guide but in a nutshell there are two options: consent, or legitimate interests.

Legitimate interests is something that many organisations are interested in using because it allows you to process data and contact people via direct marketing without their prior consent – but it’s only valid under certain circumstances.

Firstly, you can only use it to contact people by post, and by phone, providing they haven’t told you otherwise or registered with the MPS or TPS.

Secondly, your legitimate interests for processing someone’s personal data or contacting them must not be over-ridden by their interests and rights, and if they have told you they don’t want to be contacted by you, then that’s a definite no – you cannot contact them, full stop.

Additionally, there must be a specific purpose for your planned activity.

So, how can you be sure the grounds of legitimate interests are for you?

If you want to start processing data in your legitimate interests then according to the ICO, there are three questions you should ask yourself, and only if you answer yes to all three may you proceed.

1. Are there legitimate interests behind the processing?

2. Is the processing necessary for that purpose?

3. Are the legitimate interests overridden by the individual’s interests, rights or freedoms?

Before you contact people, ask yourself too if it is something they might reasonably expect to receive from you, whether it is clear in your privacy statement that you will send out direct marketing, and whether you have given them an obvious opportunity to opt out.

Make sure then that they have not in fact opted out, that there are also no reasons you can think of why they might find your communication objectionable, and that you always treat people fairly and respectfully.

The GDPR doesn’t specify what purposes could come under legitimate interests. So it could be as simple as it being to help grow your business, keep customers up to date with your news, or tell supporters about a new fundraising appeal – but it must pass the above tests, and you do need to have a specific outcome in mind. 

If you find it all too confusing and this is holding up your ability to act, Arc Data can help you get to the bottom of your specific interests in either a one to one consultation or a team workshop, email to find out more.

Stuart Townsend