With just under a month to go until the May 25th deadline, it seems that one of the biggest issues event marketers are currently facing around GDPR is figuring out which legal basis to use when contacting people on mailing lists. ‘Consent’ is the obvious choice but ‘Legitimate Interests’ (LI) can also be considered as a viable legal basis – especially in the context of B2B event marketing.
However, before making that all important decision, event planners need to understand what LI actually means under GDPR, how they can decide whether or not they can use it as a legal basis and what added risks they need to take into consideration to avoid unpleasant surprises in the future.
What Event Marketers Need to Know About Consent
One of the major changes for event planners with regards to GDPR compliance are the new conditions of consent. For one, pre-ticked boxes are no longer indications of valid consent. You also need to make it easier for people to exercise their right to withdraw that consent. The need for clear and plain language is also a key requirement so that individuals can understand exactly how their data is going to be used. They should also be given the choice to consent separately for different types of processing whenever possible.
But consent under GDPR can also be quite confusing in the context of marketing. Firstly, it is only one of six equally-valid legal bases which can be used for the purpose of processing personal data. Secondly, if you decide, for example, to use consent as a legal basis for sending prospects marketing communications around your events, it will be difficult to swap to a different one after. The ICO’s advice here states that even if a different basis could have been applied from the start, retrospectively switching lawful basis is likely to be unfair to the individual and lead to breaches of GDPR’s accountability and transparency requirements.
Are you ready for GDPR? Get your eBook: ‘The Event Planner’s Guide to GDPR Compliance’, and learn what impact Europe’s new data protection regulation will have on event marketing, data management and event technology – as well as what steps to take to get ready for the May 2018 deadline.
There is also the issue of the Privacy and Electronics Communications Regulations (PECR), how it works alongside GDPR and the differences in requirements between B2C vs B2B event marketing. This is a big subject on its own, but according to this article on the Direct Marketing Association, there are some key things you need to know:
- GDPR is primarily concerned with how personal data is captured, processed and managed. Direct marketing activities though phone, email and SMS are actually covered by a separate piece of legislation – the PECR – which is currently law and will remain in place once GDPR takes effect in May 2018.
- PECR requires you to have GDPR-compliant consent for any B2C marketing activities (ex. music festivals), as well as B2B marketing that target sole traders and some partnerships.
- Under PECR, however, B2B marketing to staff members of limited companies, public limited companies, incorporated partnerships, trusts and foundations, local authority and government institutions can use ‘Legitimate Interests’ as a legal basis for processing personal data.
- PECR will be replaced in the future by the ePrivacy Regulation, which as it’s currently worded, would require B2B marketing to use ‘consent’ as a legal ground for electronic channels, just like B2C at the moment (though much lobbying is being done to prevent this from happening).
- Until the ePrivacy Regulation is agreed, PECR will remain in place – it is unlikely any decision will be made on the final requirements until late 2018 or early 2019.
You can get more detailed guidance from the ICO on the rules around B2B marketing, the GDPR and PECR here.
What Event Marketers Need to Know About Legitimate Interests
The ICO states that ‘consent’ is appropriate if you can offer people real choice over how to use their data and want to build their trust and engagement. However, if you can’t offer a genuine choice, consent may sometimes not be appropriate. The authority also states that the processing of personal data for the purpose of direct marketing may be regarded as carried out for a legitimate interest:
“As long as the marketing is carried out in compliance with e-privacy laws and other legal and industry standards, in most cases it is likely that direct marketing is a legitimate interest. However, this does not automatically mean that all processing for marketing purposes is lawful on this basis. You still need to show that your processing passes the necessity and balancing tests.”
So, let’s explore what this actually means and how it can be applied.
What is Legitimate Interest (LI) Under GDPR?
LI is different to the other lawful bases as it is not centred around a particular purpose (ex. Performing a contract with the individual) and it is not processing that the individual has specifically agreed to (consent). Legitimate Interests is more flexible and could in principle apply to any type of processing for any reasonable purpose.
When it comes to direct marketing, LI is not something new as many organisations will have used it as a legal means to process people’s information under the regulations of the Data Protection Act 1998. However, there are two key differences between the DPA and the GDPR that event marketers need to be aware of when considering LI as a legal basis for their direct marketing activities:
Clear Opt-Outs: This was a requirement under the DPA – however you now need to make sure your opt-outs are clear and prominently displayed, away from other types of information.
Important Considerations About LI
One of the most important things to know before deciding on whether or not to use LI is that it is a subjective legal option – and it comes with added responsibilities. Event marketers must weight up their right as a business to market to someone against their right to privacy. The ICO will ask themselves ‘what is in the reasonable expectations of the consumer’ and so as an event planner, you must ask yourself the same question.
Would attendees from your last annual summit expect you to use their information to send them email communications about the next one? If yes, then they are more likely to anticipate that their personal information will be processed. While if it is entirely unexpected, then it may not be justified because the impact on the individual is greater.
You can get a list of questions the ICO recommends you ask when figuring out whether people on your lists will reasonably expect you to use their data for marketing purposes here.
Did you know that a data breach is essentially what can get your events into a lot of trouble under GDPR? Find out what you should do to prevent your attendee data from getting lost, stolen or compromised by getting your copy of ‘The Event Planner’s Guide to Data Security in a Post-GDPR World‘.
The other thing with LI, is that you must be confident that you can rely on it – and show your reasoning behind it. So, inviting a delegate who attended your last event, may be a reasonable example of using Legitimate Interests as a legal basis. But targeting random marketing lists with people who haven’t engaged with your organisation for a while (ex. They don’t open your emails, they attended one of your events years ago) – then LI is not going to be as reliable as it will be more difficult to prove.
So before making that important decision on whether or not you can use LI, you MUST cleanse your data so you can figure out exactly what personal information you hold on people, when they last engaged with your event or organisation, what is the nature of their relationship with your organisation, what kind of consent they gave you in the past and so on.
The GDPR includes many built-in checks and balances you need to be aware of to make sure that if you are relying on Legitimate Interests, you should properly consider what your legitimate interests are and how you might be impacting each individual concerned. These ‘Legitimate Interests Assessments’ will also require documentation to prove that you’ve done them, otherwise you risk GDPR non-compliance and fines – there is no standard form for this but you can download a sample template from the ICO website here.
You need to be able to prove that you carried out this ‘balancing’ test every time your use of personal data changes (inviting them to events vs. general marketing emails). This is really important, because without consistent documentation proving that your organisation has been consistently carrying out these balancing tests, you can’t rely on Legitimate Interests.
Using Legitimate Interests as a way of contacting people is fine as long as your reasons are truly legitimate – otherwise you are likely to have many discussions with the ICO arguing your case. We would advise that if you’re not really sure about using LI as an argument, then don’t do it. It is the most flexible but also the weakest of the other legal reasons for processing. Either way, whether you decide to rely on consent or LI for your event marketing communications, then you need to do similar things to make sure you are GDPR compliant:
- Be clear with people why you need their data at the point of collection – so update your privacy notices and consent boxes on event websites, registration forms etc.
- Use clear and concise language – make sure you identify your organisation and any other third parties who will be processing their personal information
- Give individuals control over their data – they should be able to decide whether they want to share their personal data with you or not. Make it easy for them to opt-out every time you communicate with them.
- Be in a position where you can demonstrate you are compliant. This includes recording the legal grounds for processing an individual’s personal data.
Recommended Next Steps:
- If you haven’t already, audit your marketing mailing lists. Figure out what you hold and what you use it for.
- If you can’t rely on GDPR compliant consent, decide if the way you use personal data would be reasonably expected by people on your lists to assess if you can use LI.
- Update your privacy notices in line with the ICO’s guidelines and the points we made above. Include details of what your purpose for processing personal data is, that you are relying on LI and summarise what the relevant legitimate interests are.
Need help tracking and managing consent on event websites and registration forms? Eventsforce offers a comprehensive set of event management solutions, services and expertise that can help support the event planner’s journey to GDPR compliance.