General Data Protection Regulation (GDPR)

Help is at hand!

On the 25th May 2018, there is new EU legislation that comes in to force. (GDPR) There are many blog posts and pages on the internet that want us to believe the world is coming to an end. So the burning question is “Can I still use Email as a marketing method with this new legislation in place?” and although we would like to say YES to everyone we obviously can’t, but fortunately the answer will be yes to the vast majority of you. What we can say is the Information Commissioners Office (ICO) have released some extremely helpful guidance, the links to this will follow further down the page.

  • Key Fact – You have to establish what Lawful Basis you are “processing” (in this case emailing) an individuals Data on. There are a number of these but for the purpose of email Marketing, we need to focus on two.


We recommend consent as the lawful basis for processing for all future individuals coming into contact with your organisation. For contacts/individuals that are in your database prior to GDPR, this might not be retrospectively possible and you should consider ‘Legitimate Interest’ as the lawful basis for processing (Emailing) these individuals.

What is very important, is that if you establish the lawful basis for ‘Processing’ (Emailing) as Consent that you are able to provide all the necessary information to the individual should you be challenged.  I.E If you have an opt-in which was collected prior to GDPR and was not GDPR compliant,(Pre Ticked box) it is important that you do not ‘process’ using Consent as your legal basis as it is not compliant. You would be better to consider if you can process under ‘Legitimate Interest’.

ICO Website Quote -“Legitimate interests is the most flexible lawful basis for processing

ICO Website Quote- “The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.”

ICO Website Quote- “The GDPR specifically mentions use of client or employee data, marketing, fraud prevention, intra-group transfers, or IT security as potential legitimate interest….”

To use ‘Legitimate Interests’ as your lawful basis to ‘process’ (Email) then you would need to have conducted a ‘Legitimate Interest Assessment’ (LIA) and conclude that the following criteria have been met (The checklist below has been published by the ICO) :-

☐ We have checked that legitimate interests is the most appropriate basis.

☐ We understand our responsibility to protect the individual’s interests.

☐ We have conducted a legitimate interests assessment (LIA) and kept a record of it, to ensure that we can justify our decision.

☐ We have identified the relevant legitimate interests.

☐ We have checked that the processing is necessary and that there is no less intrusive way to achieve the same result.

☐ We have done a balancing test, and are confident that the individual’s interests do not override those legitimate interests.

☐ We only use individuals’ data in ways they would reasonably expect, unless we have a very good reason.

☐ We are not using people’s data in ways they would find intrusive or which could cause them harm, unless we have a very good reason.

☐ If we process children’s data, we take extra care to make sure we protect their interests.

☐ We have considered safeguards to reduce the impact where possible.

☐ We have considered whether we can offer an opt out.

☐ If our LIA identifies a significant privacy impact, we have considered whether we also need to conduct a DPIA.

☐ We keep our LIA under review, and repeat it if circumstances change.

☐ We include information about our legitimate interests in our privacy notice.

Prior to ‘Processing’ you would need to document the above and your conclusions, and record it as your LIA (Legitimate Interest Assessment) and provide a copy of it should you be asked for it. We advise publishing your LIA and providing a link to it from the bottom of the emails you send using ‘Legitimate Interest’ as your lawful basis for processing.

Many of you marketing to employees within organisations will find ‘Legitimate Interest’ a reasonable basis to process as the risk to the Individual is negligible and the commercial interest to the organisation outweighs the risk to the individual. All the other criteria have to be met but for most of you should be straightforward to comply with.

If you have any more questions about GDPR in relation to our services, please contact us for more information.