Automotive retail businesses will see a “domino effect” of reliance on ‘Legitimate Interest’ to comply with the stringent GDPR, according to MotorVise managing director Fraser Brown.
The sales, training and recruitment supplier and consultancy claims that discussions with the Information Commissioner’s Office (ICO) have indicated that it will become the key line of defence for car dealers concerned about their ability to contact customers under the new data legislation.
Brown said: “Many suppliers are already coming to this conclusion and eventually there will be a domino effect. We’re sure of it.”
Here Brown shares his opinion on Legitimate Interest.
The General Data Protection Regulations (GDPR) come into effect on 25th May 2018. You have very little time left to re-assess the strategy your dealership/dealer group takes to become compliant.
In a nutshell, will your future customer communications be based on a consent (opt-in) basis? Or on a Legitimate Interest basis? It’s one of the most important decisions your business will make.
To date most organisations have believed that consent was the only route. However, the latest clarification from the Information Commissioner’s Office (ICO) indicates that Legitimate Interest might be the best route for car dealerships to go down.
To be clear, you can’t do both. You must decide as an organisation on what route you are going to take, document why you have made that decision, and move forward on that basis. Changing your mind at some point after May 25, without good reason, will be difficult.
At MotorVise we've been at the cutting edge of GDPR being one of the first to issue a toolkit specifically for car dealerships. We also work with many dealerships advising and guiding them on getting ready for GDPR.
We now strongly urge dealerships and dealer groups to reassess their approach to GDPR in light of the 2018 Data Protection Act and latest guidance from the ICO. It is our belief that Legitimate Interest may be the best route for dealerships to take.
What GDPR introduces in Article 6
Article 6 provides that processing of data shall be lawful only if one of the following applies: (a) Consent has been given, (b) Necessary for the performance of a contract, (c) Necessary for the compliance of a legal obligation, (d) Necessary to protect vital interests, (e) Necessary for public interest, (f) Necessary for the purposes of Legitimate Interest pursued by the controller.
Up until this point in time, all we have heard regarding GDPR and marketing is that consent (point (a)) in the form of opt-in must be obtained. However, if we look to point (f) it provides the option of processing if for the purposes of Legitimate Interest.
Under GDPR, consent is not the only way to process data for the purposes of marketing to customers. You can still do so if you have a Legitimate Interest.
What is legitimate Interest? Recital 47
Recital 47 provides that the Legitimate Interest of the controller may provide a legal basis for processing data so long as the fundamental rights and freedoms of the data subject are not overriding (e.g. right to erasure, right to object, right to be informed how Personal Data is processed).
Legitimate Interest could exist where there is a relevant and appropriate relationship between data subject and controller in a situation where the data subject is a client or in the service of the controller (previous customer or negotiations of a sale).
Recital 47 also reiterates “the processing of personal data for direct marketing purposes may be regarded as carried out for a Legitimate Interest.”
If you have a relationship with a customer (through a previous sale or negotiation) and they have not asked to be erased or objected to being contacted, you may have a Legitimate Interest to contact them, even for the purposes of direct marketing.
Is it that easy?
To rely on Legitimate Interest, it is highly advised that you should conduct a Legitimate Interest Assessment.
There is no set test in law, but the best guidance is provided by the Information Commissioners Office (ICO), which outlines the following three-stage test:
1) Identify a Legitimate Interest – a Legitimate Interest may be a commercial objective, however this must be clearly articulated and communicated to the individual at the point of data collection.
2) Carry out a Necessity Test – consider whether the processing of Personal Data is “necessary” for the pursuit of your commercial objectives. The interpretation to be used regarding necessity should be to simply ask “is there another way of achieving the identified interest?”
3) Carry out a Balancing Test – you can only rely on a genuine Legitimate Interest where the freedoms of the individual whose Personal Data will be processed have been evaluated and these interests do not override the controllers’ Legitimate Interest. Would the data subject reasonably expect their Personal Data to be processed? What impact would the processing have? What safeguards are in place? These are all things to be considered.
So, in order to recognise whether you have a Legitimate Interest to contact customers, you must conduct a three-stage test (outlined above).
The customer must be informed of the Legitimate Interest at point of collection and thereafter, the processing must be necessary, and the rights of the customer must not outweigh your Legitimate Interest to process their data.
Businesses must consider PECR
Businesses operating out of the UK must also consider the Privacy and Electronic Communications Regulations (PECR). PECR states that you must not send marketing emails or texts to individuals without specific consent (unless an exception applies).
There is an exception with PECR known as ‘soft opt-in’ whereby you can send emails/texts without consent so long as the following conditions are met: (1) You have obtained contact details during a sale (or negotiations of a sale) of a product or service, (2) You are only marketing your own similar products or services, (3) You provided a simple opportunity to refuse or opt-out of the marketing when the first collected the Personal Data and in every subsequent communication.
So, UK businesses must also consider the ‘soft opt-in’ requirements provided by PECR.
If data was obtained at point of sale (or negotiation), data is only used for marketing your similar products or services, and an opportunity was provided at the time of collection to opt-out and at every future point of communication.
Why opt for consent?
GDPR sets the standard for valid consent very high – customers must actively opt-in to communications and methods of communications must be separate.
Consent offers organisations more legal certainty, whilst Legitimate Interests are subjective in their very nature of being interpreted against guidance provided.
Nevertheless, businesses must understand that consent is not the only option. Legitimate Interest offers businesses the possibility to continue communicating to previous customers (and enquiries) through direct marketing so long as the requirements outlined above are met.
Author: Fraser Brown, managing director, MotorVise