The ICO should provide more clarity on legitimate interests

Calls have risen for the UK GDPR regulator – the Information Commissioner’s Office – to produce more guidance on how organisations can employ legitimate interest as a basis for direct marketing activity.

Pressure has been building for more clarity on the issue owing to the far-reaching confusion that still lingers over the definition of the term, as companies struggle to get to grips with compliant marketing practices.

Legitimate interest guidelines were first published by the ICO in March 2018, in the run up to the release of the GDPR. The Direct Marketing Authority (DMA) maintains that brands are still feeling in the dark when it comes to operating legally.

In response to the ICO’s consultation on the new DM Code of Practice, the DMA claims lack of clarity is causing severe disruption to direct marketing across all levels, from post marketing and phone marketing to third party data and profiling, Decision Marketing reports.

The DMA states that regarding direct mail, “The code should make it plain where legitimate interest can be used as the appropriate legal ground for postal marketing and what requirements an organisation must meet in its legitimate interest assessment (LIA).”

The handling of third-party data is also a sore point currently, with the DMA adding:

“Since the introduction of GDPR, marketers have been unclear to what extent they can use third-party data for marketing. There is also a lack of guidance from the ICO. As a result, organisations have stopped using third-party lists for new marketing campaigns as they are unsure whether lists sold by vendors are compliant with GDPR.

“Practically, it is impossible for a third-party data provider to build a data set using consent as a legal basis. The provider will not know who their future clients are so will be unable to inform the data subject of the recipient of the data when it is collected. As a result, providers have been relying on legitimate interest as an alternative lawful basis for third party marketing.

“In general, the DMA supports this approach but it is dependent on the context. Marketers are unclear whether legitimate interest can be relied upon as the lawful basis for the collection, sharing and use of third party data for direct marketing.”

Towards the end of 2017, the trade body put together its own guidelines on the issue in a document that was bolstered by ICO advice. The DMA now wants the watchdog to incorporate DMA examples and its industry language into adapted guidelines that will be more user-friendly to marketers.

“This will help to ensure a consistent and responsible approach to using third party data across the UK,” the DMA said.

There are 12 elements within direct marketing that the DMA wants unpacked and re-presented in more detail, after expressing concern over the narrow scope of current guidelines.

“The code must cover all the different marketing channels and not just focus on electronic marketing, which is covered by PECR. Both offline and online channels should have fair representation in the guidance, with plenty of examples,” the DMA added.


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.