This week we'll be discussing the implications for direct marketing - particularly as this is the business we're in!

The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.

The positive news?

Direct marketing is specifically referred to as a legitimate interest in the GDPR. For a legitimate interest to exist, the GDPR says there should be a "relevant and appropriate" relationship between data controller and subject. And it should be assessed whether the individual would "reasonably" expect their data to be processed at the time and context in which the data is collected.

It also says the use of legitimate interest must be a balance between the company's interest and the rights of the individual.

Would a customer expect a business to use their personal data to promote its products and services (providing they hadn't already opted out of messaging)?

To what extent would this impinge on the fundamental rights of the customer, such as the right to privacy?

In addition, depending on how compelling the message to the customer is, there'll be a difference between marketing an event they've attended previously, and an unsolicited product ad they've never heard of.

One interpretation of this legitimate interest is that it allows you to collect and use personal data for marketing purposes, as long as you've already got their consent.

This doesn't leave you free to carry out direct marketing without consent.

It is also unlikely that if you fail to gain consent from an individual, you'll be able to fall back on the claim of legitimate interest as a method of lawful processing. This is an area that is likely to remain unclear until the ICO or Article 29 Working Party provide greater clarity.

As soon as this information is available, however, you can be assured, we will be blogging about it!