GDPR Legitimate Interest Assessment
According to the Information Commissioners Office (ICO) there are three elements to the legitimate interest basis: Identify a legitimate interest; show that the processing is necessary to achieve it; and balance it against the individual’s interests, rights and freedoms.
- The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.
- The processing must be necessary. If you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply.
- You must balance your interests against the individual’s. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests.
- Keep a record of your legitimate interest assessment (LIA) to help you demonstrate compliance if required.
- You must include details of your legitimate interests in your privacy notice.
Source: Information Commissioners Office
Under strict licence conditions, Prolists supplies marketing data to organisations wishing to communicate with postholders and elected members in the UK Public and Primary Care Health Sectors. This marketing data contains limited, work-related, non-sensitive details of such individuals.
Identification and Justification of Legitimate Interest
Ability to Trade
Prolists is an established business, successfully trading since 2005. Almost all our revenue is derived from supplying public sector marketing lists to our customers. Without the ability to control and process the data in these lists, Prolists would be unable to operate.
We are unable to use a different GDPR legal base for processing personal data as they all require explicit consent. As the data set we process comprises some 200,000 individual contact records, it would be impossible to speak personally to every person in that data set to obtain such consent.
Freedom of our Customers to Promote
We believe our customers have the right to promote their products and services in a fair and responsible way, compliant with both the GDPR and PECR. Customers may also use the GDPR Legitimate Interest option where justified, and the PECR does not prevent them from contacting the corporate data subjects contained in our lists by email.
Compliance with the GDPR
Recital 47 of the official GDPR text says this about Legitimate Interest: “The processing of personal data for direct marketing purposes may be regarded as carried out for a Legitimate Interest”.
The Information Commissioner (ICO) says: “Legitimate Interests (may be used if): the processing is necessary for your Legitimate Interests or the Legitimate Interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those Legitimate Interests”.
The Direct Marketing Association (DMA) say: “B2B marketers will be able to make use of the Legitimate Interest legal ground for their marketing activity in most instances”. We believe that we meet all those points in a fair and transparent way.
Impact on Privacy
The names and job titles of most senior postholders and all elected representatives are available via online sources, websites and freedom of information requests, and are therefore already in the ‘public domain’.
Where the public domain sourcing of data is not an option, information is sourced either directly from the postholder, from other GDPR compliant sources, or directly from their employer. The data we supply is regularly refreshed by a continuous cycle of improvement and editing. All requests to be removed, supressed or forgotten are honoured.
As stated earlier, only a restricted subset of a postholder’s data is processed. This is limited to the person’s name, job title, work address, telephone number and business email address. No demographic or sensitive data is collected (e.g. salary, home address, marital status).
Controlled Distribution of Data
We do not sell data, it is only available under licence. See Terms. The data may not be copied, resold or shared. Usage is monitored (via tracer emails) and misuse is subject to penalties. As part of our terms customers are required to comply with all relevant legislation, including the GDPR and PECR.
Customers may only send communications that are likely to be relevant to the business role of the postholder. The data may not be used to promote products or services of a ‘consumer’ nature. Customers must not make excessive efforts to contact postholders. We recommend a limit of 12 email campaigns per annum. We carry out basic reasonable checks that any potential customer is legitimate.
Customers must observe and honour all requests to be removed (or supressed) from a mailing list. Importantly, customers are provided with data updates, upon request, at 3 monthly intervals.
Potential Harm to Data Subject
Based on the above methods and controls, we do not believe that the authorised use of our data constitutes any personal risk to the data subject or causes any harm. No minors or vulnerable persons are affected. Reasonable Expectations of Data Subjects As representatives of public bodies, data subjects should reasonably expect that commercial organisations will attempt to contact them with relevant information, provided that their rights under the GDPR and PECR are protected.
Rights of Data Subjects
Data subjects can easily contact Prolists or our customer to request suppression or permanent removal from a list. The individual senders of emails can usually be blocked by a data subject from within their email client if it is felt that they are irrelevant or intrusive.
- Due to the nature of our business, we cannot see an alternative to Legitimate Interest if we are to operate as a business.
- We meet the definitions and requirement of the GDPR and advice from the ICO and DMA in our justification.
- Based on our methods, monitoring and controls, we do not believe that our processing and licencing of personal data will have a detrimental or harmful impact on the data subject.
- Via our privacy statement. We offer full transparency into our business model and the way in which personal data will be used.
- Data subjects may contact us to request removal or suppression from any lists that we hold or to demand any other rights details within the GDPR and PECR.