Solve your toughest data challenges
We can help you understand your customers, stay ahead of regulations, and grow your business.
Reframed GDPR from consent to legitimate interest
The challenge
One of the world’s leading consumer electronics businesses was on the verge of losing access to an estimated ¾ of its marketing data due to a legal decision to adopt a consent approach to GDPR across Europe.
Our response
Acxiom were brought in to help find a new route and prove to the legal team there was an alternative that would reduce risk but also provide marketing the necessary data access to continue to market to their customers.
The impact
-
Acxiom’s process has worked, and the client has regained almost 100% of their customer database for use moving forward by adopting the Legitimate Interest route for GDPR.
-
Both Marketing and Legal teams across Europe are aligned with the approach.
-
Relevant policies are in the process of being updated through Acxiom.
Introduction
Purpose
This leading electronic provider had concerns around the impact on marketing capabilities as a result of a consent-based approach for GDPR compliance and required an investigation into Legitimate Interest as an alternative legal basis to consent.
Process
As part of an initial phase, Acxiom assessed a selected number of use cases, running them through LIA’s (Legitimate Interest Assessment).
We considered reviewing all marketing use cases but decided to prioritise initially a deep dive investigation on two broad based use cases relating to two areas.
- Marketing analytics/profiling
- DMP behavioural triggers
Investigations led to the requirement for a Legitimate Interest assessment on each. The results were presented back to the
European CMO for approval, and to start building a formal case for the business to move away from a consent driven approach towards a Legitimate Interest view, which would protect the use and analysis of marketing data.
Results
Investigations led to the requirement for a Legitimate Interest assessment on each.
The results were presented back to the European CMO for approval, and to start building a formal case for the business to move away from a consent driven approach towards a Legitimate Interest view, which would protect the use and analysis of marketing data.
Conclusion
Two formal Legitimate Interest Assessments have been conducted and the conclusion of both is that the client has a very strong case for relying upon Legitimate Interest as the GDPR compliant legal basis for these use case areas.
“The leading electronics provider had concerns around the impact on marketing capabilities as a result of a consent-based approach for GDPR compliance.”
About the Legitimate Interest Assessment (LIA) – Framework
The LIA Framework used for this project follows the Data Protection Network (DPN) framework that was submitted to and supported by the Information Commission Office (ICO) as a robust template for Legitimate Interest Assessment. Whenever using LI as the legal basis for processing, transparency is key.
In all cases where LI is the legal basis for processing, a Legitimate Interest Assessment should be carried out, which involves four main steps:
-
1. Identify legitimate interests: For example, in marketing, the Legitimate Interest would likely be along the lines of “sending out marketing communications to customers or prospects to help promote or sell products, outlets and services”. During this stage, clients consider why this interest would be in the interests of the recipient.
-
2. Carry out the necessity test: Defining whether there is another way of achieving the stated objective.
-
3. Carry out the balancing test: Identify and define the risks to the individuals’ personal privacy. This should be documented, and mitigations should be considered. (e.g. data minimisation, data retention / deletion policies, data security measures, ensuring the individual is appropriately informed (transparency), determine how to implement and process opt-outs; consider privacy by design considerations – for example, when creating an app or loyalty programme).
-
4. Documented for evidence: Ensure that all stages of the Legitimate Interest Assessment is fully documented.
Outcomes
Based on these findings the electronics client has a strong argument for the use of Legitimate Interest as the legal grounds for processing personal data in the DMP. This is supported by guidance from the EU Article 29 working party, the GDPR text and the DMA. This opinion has been informed by analysis of information and answers provided specifically to the necessity and balancing tests.
“Acxiom’s process has worked and the client has regained almost 100% of their customer database for use moving forward by adopting the Legitimate Interest route for GDP.”
