We see many companies running marketing campaigns that are held back by their approach to GDPR and other privacy legislation. The biggest problem is failing to understand legitimate interest, and what it means for B2B marketers.
In our on-demand webinar ‘GDPR: What the Hell is Legitimate Interest?’ we explore legitimate interest, and how you can use it to deliver better marketing campaigns. We cover:
- How does GDPR affect B2B companies?
- Does GDPR really require opt-in?
- What is legitimate interest?
- How does GDPR treat sales and marketing differently?
- How can I use legitimate interest to run better campaigns?
Register to view our webinar on demand by clicking here, and why not get in touch to let us know if our insights helped you.
Napier Webinar: ‘GDPR: What the Hell is Legitimate Interest?’ Transcript
Speakers:Â Mike Maynard
Good afternoon, everyone. And thanks for joining us for another Napier webinar. I’m Mike Maynard. And we’re going to talk about GDPR and legitimate interest. So what we’re going to try and do today is we’re going to try and investigate, you know, how restrictive GDPR is, and where the options are, or the ways that you can potentially get around some of the perceived restrictions. This is not legal advice, of course, and I will talk about this as we go through.
I’m not a lawyer, and we certainly wouldn’t pretend at Napier to be giving legal advice. So please do take legal advice, you’re gonna make any decisions based on this. But this is to give you an overview from a high level sort of marketing level as the regulations, and really the importance of legitimate interest. So any of you that follow Formula One will know Adrian Newey, who is currently looking for a new job. I know we have various fans at Napier, of Formula One, that are hoping he’s gonna go to their team, but agent who is famous for taking advantage of regulations. And, you know, one of his quotes was I do enjoy regulation changes for sure. So we’re going to have a look at regulations and see where actually the regulations perhaps aren’t as bad as people think. So let’s have a look very briefly at you know, what we’re going to talk about, we’re very briefly talk about, you know, GDPR, and beat the b2b.
We’re gonna talk about opt in, we’re going to talk about sales and marketing, which I think is very important. We’re gonna talk about legitimate interest and how we can use legitimate interest. Then finally, a summary and questions and answers. So if you do have any questions whilst we go through the presentation, then please do put them into the chat. This is the best way to do it. And if you can put them in whilst we go, that means that there won’t be that awkward silence whilst people are typing in questions. I can’t promise to better answer everything. And obviously, as we go into more depth in the regulations, that is, you know, where we can’t give advice. So we’re not lawyers, this isn’t legal advice. And so, you know, this is designed to give you a guide to the regulations to help you understand a bit better, but it’s not designed as legal advice. And as I said earlier, we’re not an agency is in a position to give legal advice, because we’re not registered lawyers.
So let’s have a brief look at GDPR, how it impacts b2b, and maybe some of the other privacy legislation that’s around the world. So a lot of people got very freaked out about GDPR. It was one of the first bits of privacy legislation passed around the world. But this is a map. This is a map from a company called DLA Piper, they provide advice and information on data protection, very much recommended if you want to get more data. And they show where there is regulation. And you can see that today, there’s actually a lot of regulation around data privacy. And if you look in terms of population centres, there is a huge amount of heavy regulation in the biggest population centres. So we’re looking at North America, we’re looking at China, we’re looking at India and Europe. So areas where there are very heavy regulation, South America to be fair, there’s less regulation, they’re less regulation in Russia. And then obviously, in Africa, the rules are not quite as mature. But even in Africa, we’re beginning to see some heavy regulation come in. And I expect that trend to continue. Now, the issue is, is that there’s actually now lots of legislation.
So if we look basically, in Europe, we’ve got the GDPR The General Data Protection Regulation, we’ve got pecker which came before it, but still has some things that apply, which is Privacy and Electronic Communications regulation. The UK has a Data Protection Act, which effectively is enacting GDPR in the UK. And then the USA has a whole range of different acts that impact privacy, some of them directly privacy legislation. And then some of them are much broader. The Federal Trade Commission Act of 2022 actually has implications for privacy. add on to that a lot of states. You know, other states that are in addition for California ones have privacy laws. It’s a very complex picture.
But what we’re going to talk about is GDPR. The reason why going to talk about GDPR is, it’s not only probably the one that is best known and most talked about. But it also provided a template that was adopted by a lot of other regulators. So there’s a lot in the California legislation that reflects GDPR, for example. So the first thing to say about GDPR is that GDPR actually isn’t a law. GDPR is a directive from the European Union. So this directive is then implemented in law by each different country. So if you look at it, it’s actually quite different when you go from country to country. And this is super, super important. So for example, in Spain, if you break GDPR regulation, it’s not a criminal offence. In UK, it’s a criminal offence, and then in Germany is a criminal offence. And there’s quite a lot of things you can do that make you end up in prison. So very different penalties from country to country for breaching GDPR. And more importantly, there’s very different interpretations by the courts. Now, the European Commission is trying to get consistency, or at least more consistency from country to country. And ultimately, some of these appeals are going to the European Court, like the Dutch Tennis Federation. But it’s very hard to know exactly what the law will be from reading GDPR. Because every country has implemented the law slightly differently. And of course, Germany, is pretty renowned as one of the countries that have taken the strongest approach to privacy.
So most pro privacy approach and some of the strictest penalties. So we can’t tell you, and no one can tell you, you know, what the penalties are for breaching GDPR, or indeed what the law is because it does vary from country to country. And typically, depending on the size of company, you know, you might have one location, or a primary head office location in Europe, or you might actually be governed by multiple locations across Europe, if you’ve got multiple offices that are all responsible for sales and marketing. So it’s not even a case that necessarily you can always easily be accountable to just one legislation. So GDPR, the main thing it did was it established certain rights. And these are the rights that had to be implemented into law. And these are the rights that in some cases are implemented slightly differently. So perhaps the most important is transparency. And that’s linked to providing information as well. So this is all about being open about how you’re going to use data. So we can see here on the right hand side, the screenshot I’ve grabbed.
This is from the UK, Information Commissioner’s Office, we hope that they’re pretty good at following the regulations, because they’re the people who effectively enforce it. And they say, well use this information to process your payment, and maintain the public register will publish all information you provide, except where we tell you otherwise, it’s going to privacy notice there. And so they’re being very clear about how they’re taking the information, the fact they’re storing it, and the fact they’re publishing it. And that probably is the single most important thing I would say about a lot of the data protection regulations is particularly when you’re looking at b2b, which is considerably more straightforward than for example, gathering data on consumers under 18. Then, it’s very much about transparency and clarity about how you’re using the data.
There are a number of other rights as well, that GDPR gave data subjects, so people whose data is being collected. So that includes like the right of access the right to rectification. So you can see your data, you can correct it, you can ask for it to be deleted, and so on. And so there’s lots of things they’re interesting, there’s a right to not be subject to an automated decision. This applies to certain situations, where actually in some cases, you can’t completely automate decision making based upon data. So really lots of rights and really quite broad ranging. But of course, as marketers, one of the things we we find very, very difficult is that GDPR treats, sales and marketing differently. You know, we’ve all seen our company’s policies and the policies are very restrictive, around marketing, and then much more flexible around sales. So GDPR treats us differently, or does it actually, the truth is is that there is no difference in terms of the rules between marketing and sales.
So if you’ve got rules that are different between marketing sales, like marketing can only email contacts that an email in the last year, but anyone in a salespersons outlook is fair game, or marketing can only email people who opted in, but sales can email anyone that actually is not reflecting either the letter or the spirit of the law. GDPR is about processing personal data. It’s not specifically about marketing. There are some details when you get right into it about email marketing and electronic marketing. But in general, marketing and sales are governed by the same rules. And if you want your company to be compliant, your rules should be consistent across both marketing and sales.
Now, actually, what people tend to do when they have different rules for sales, is effectively they’re assuming legitimate interest for sales. And they’re not assuming it for marketing. And this is crazy, because there’s no reason why you shouldn’t assume marketing has legitimate interest. And you shouldn’t assume why marketing professionals can’t actually follow the regulations around legitimate interest. But the single most important thing I think we need to remember is that GDPR does not relate to sales. It’s about the processing of personal data. And it’s about the movement of that data. It’s not about different functions in your organisation. It’s so now we’ve established that we actually should have the same rules for sales and marketing. And you know, one of the other questions people always ask is about opt in and opt out. And the question is, do you require opt in? Well, the answer is within the GDPR legislation, you are required to have explicit consent, ie an opt in unless you have what’s called a legitimate interest.
Now, you always need to offer an opt out that’s compulsory, no matter how you’re dealing with things. But you don’t necessarily need an opt in now, just as a caveat here, these laws are implemented slightly differently from country to country. But where we look in the UK, for example, absolutely using legitimate interest is a valid approach. And there is no issue in terms of breaching any of the regulations for not requiring an opt in, provided that you’re actually using that for just my interest. And we’ll talk a little bit about that as we go through. So legitimate interest, one of the things you can do is you can actually process data under GDPR, if it’s necessary for the purposes of a legitimate interest. And this is the interest of the person who has the data so that she was the data controller or the marketer. And you always have rights to follow your legitimate interest, except when those interests are overridden by the interests or the rights of the person whose data you’re protecting your processing, sorry.
So and this is particularly important when the data subject is a child, obviously. So this is a very difficult thing to look at. Because, you know, what you’re trying to do is balance your rights to effectively in our case, do business and market products against the people who you’re marketing to their rights to have privacy. But there are some very easy cases to look at. So one of the legitimate interest cases is around medical data. So if I’m unconscious, and in the ambulance and being rushed to hospital, and you’re aware of a medical condition, under GDPR, you probably shouldn’t release that, particularly if you’re an employer. However, clearly GDPR is not going to say you mustn’t release it, and you must let me die. Thank goodness for that, you are going to look after me. So GDPR has an explicit and legitimate interest around medical data to allow that to be released for emergency treatment.
So it’s really important that you understand that, although there are restrictions, even with medical data, which can be highly sensitive. If there’s a need a legitimate interest, you can actually release that data without permission. Now, that’s important. And you guys have obviously released the information to help me as I’m being whisked to hospital. But some other good news is that in GDPR, and in the UK legislation as well. There is expressly the statement that the processing of personal data for direct marketing purposes may be regarded as carried out for legitimate interest. So there is explicit language within GDPR that says you have a legit legitimate interest to run marketing campaigns using data And obviously, as long as you balance your legitimate interest against the rights of the data subject, you’re able to do that without opt in. And, as I say, some caveats in some other countries in Europe. But fundamentally, that’s what GDPR says. Now, one of the things that is really important is when you do actually run your legitimate interest campaigns, you need to know why you’re processing that data. So you know, why you’ve gathered the data, how you’ve got it, and why there’s just an interest to process it. And so very, very simply, it’s all about selling, it’s all about communicating with people who are likely to be interested or relevant.
So this is the balance that generally the courts seem to have followed, you know, spamming out to 40 million people to sell them, you know, I don’t know, some high end piece of electronic test equipment is clearly not reasonable that most of those people have no interest in the product, you’re just sending spam, that’s not balancing your rights out. But to market to 100 engineers in companies that you target that you know, responsible for test equipment, that clearly is going to be a legitimate interest that people are going to understand that the reason you’re targeting them is because they are very likely to be interested in the product. So basically, you should make use of legitimate interest. And you can use it for some very, you know, straightforward things. So, you know, selling related products to customers clearly as a legitimate interest, clearly, there’s likely to be interest from those customers. And it’s explicitly discussed as one way to actually use legitimate interest equally, you know, contacting ex customers, or even using contact databases in a sensible and mature way. So, don’t be that Sharky salesman who’s just blasting out to everybody.
If you’re selecting people who you really believe are relevant, you’re opting a completely transparent and effective opt out system. And then there is just an interest for you to market to those people via email. But obviously, you’ve got to avoid some things, you know, if you don’t give the option for opt out, or don’t respect the option for opt out, you’re going to be breaking the law, pretty much, you know, large untargeted lists, almost certainly not going to be considered legitimate interest. Large volume of contact details. Again, you know, collecting unnecessary data, you know, isn’t going to be good. You know, as an example, asking, you know, customers of your test equipment, what religion they are, probably isn’t going to be seen as a very good thing in the eyes of any of the regulators. And lastly, the the last mistake that actually a lot of people make, is not identifying that purpose and needs. So how you collected that data, why you collected it, and why you have an interest is really important on your database. So hopefully, this makes you feel a lot better. As I say, in some countries, particularly Germany, you will need to take some advice on what is possible within German legislation, it is more strict than pretty much anywhere else in Europe. But in most other countries, you’re able to use just the interest absolutely freely. And there is no problem at all, in marketing out and using, you know, emails, for people who haven’t explicitly opted in. There is one other thing that probably is worth mentioning, which is keeping your database up to date. So there is a requirement in GDPR to keep your database up to date, you should be cleaning it all the time. And one of the reasons that companies do implement there, you can email someone if they hadn’t responded in the last six months is they feel that’s a way to to keep the database up to date.
In theory, of course, because as we’ve talked about before, the focus of GDPR is processing data. If you’re not emailing them, you should also be deleting that contact, because otherwise it’s still sat in your database and still being processed. So you need to think about your policies there. In reality, I think the email Bounce Back System is a pretty good and reliable way of knowing whether someone has left the company. And so I think you know that that normally is regarded as a fairly effective way to keep your database clean. But if you’ve got a lot of people, and you’ve got a lot of bounce data, you should again be removing that from the database because you’re not meeting a requirement to keep the data up to date.
So, final takeaways, I mean, firstly, this is not legal advice, as we said. We have as far as we can, giving you accurate information but we’re not lawyers. The second is GDPR is not a law. There is no one European GDPR law. There are moves in the European Commission to try and harmonise data protection across all the countries. But that seems to be dragging its feet. And not only do it does each country have its own laws, but each court, each country’s court may interpret those differently. There really is from a GDPR point of view, no difference between marketing and sales, sending out emails, they both process data. And lastly, to just meet interest is an opportunity to run campaigns on an opt out basis from many European countries. So legitimate interest is a huge opportunity for people to expand their audience. So hopefully, this has been useful.
If you have any questions and haven’t typed, type them into the chat, please go ahead and do that now. And whilst you’re just thinking of questions, and typing them in a little promo for our next webinar, and our next webinar is Wednesday, the 12th of June it’ll be four o’clock UK five o’clock cet ATM for those of you in California. And it’s all about the good, the bad, and the ugly of measurement. So it’s talks about five metrics that will get you promoted. And three, that should get you fired. So if you want to know about marketing measurements, anything from meaningless marketing, measurement metrics all the way through to how you measure the measurable. And the next webinar, hopefully will be useful.
We’re trying to shorten our webinars a bit, some of our webinars ran to about 40 minutes with questions, we’re aiming to get them down to below 30. So hopefully, it gives you a bit more time as well, and won’t take so much out of your day. So that’s covered our very brief overview of legitimate interest, and why it’s so important. I’d ask if there’s any questions, if you can enter them in now.
So Fran has asked how often do we need to carry out a legitimate interest assessment. And this is really interesting, because there’s not really a process in GDPR that I’m aware of anyway. And again, not not a legal person around legitimate interest assessments, the law says, you can only use legitimate interest if you have a legitimate interest. So there’s no defence saying, Oh, we looked at it three months ago, and we thought it was just legitimate now, then, so we’re now doing the same thing. So you should always be keeping your assessment of what’s legitimate, and what’s not up to date. And so, you know, trying to do it as cycles may be something you choose to do. But I think, you know, whenever you run a campaign, and you’re using legitimate interest, I think, having a thought about you know, Is this fair? Does this in our opinion, balance, you know, our rights, to, you know, pursue our business, versus the people who are going to market to their rights to privacy. And I think it’s important to do that, you know, really every campaign unfortunately.
We’ve got another question from John. Thank you, John, for the question. A clear purpose and evil one of the things specifically given in the GDPR legislation, is marketing products. So a legitimate interest for a business is to, you know, want to market and promote your products to potential customers. So that is absolutely example of Purpose and Need. Typically, what people do when they’re gathering data around legitimate interest, is it’s much more around why they think that contact is relevant to their company. So why they think they’ve got a legitimate interest to that contact. So as an example, you know, there’s lots of clients here, I think, that are from the electronic components business, we have a big show coming up called electronica. It’s a reasonable assumption that anybody who comes onto your booth at electronica is probably in some way interest in your products, certainly relevant and recording that you obtained.
The contact details at the electronic trade show would be a great example of showing why there is legitimate interest for that particular person, and why your interests might outweigh their need for privacy. If you go into Munich and go to the Hofbrauhaus get drinking and then pick up a few business cards off the floor. You know, whilst there’s a chance some of those might be relevant to your business, unless you can show specifically that you know, the companies they work for a relevant and It’s unlikely you could really convince any court that you had a legitimate interest in emailing them, because they were in the Hofbrauhaus in November. So I think it’s about, you know, understanding why those contacts are relevant to you, rather than necessarily defining your need at the time of data collection.
So I think we’ve covered all the questions there. As I said, we’re trying something a little bit different. We’re trying to complete the presentation for these webinars in about 20 minutes. And make sure you don’t have to spend more than half an hour listening to us. So we give you some time back. Hopefully you like these slightly shorter webinars. If you don’t, obviously, tell us if you do, please definitely do tell us because we’d love to hear if you’d like something around the webinars. And I hope to see you all for the next webinar, where we’ll be talking about marketing metrics, and the metrics that should get you promoted as well as the ones that might get you fired. Thank you very much, everyone, and look forward to speaking to you in June. Bye.
