Before diving into this post, we recommend you check out our recent post on lawful basis under the GDPR. It provides useful background on using the lawful bases of legitimate interest and consent under the GDPR.

Beyond your HR, security, privacy, and legal teams, the GDPR could have a big impact on your marketing team. Marketing relies heavily on the ability to freely communicate with clients, contacts, and prospects, sending them information on products, services, company updates, and more. And in turn, this level of communication involves collecting, leveraging, and managing your contacts’ data.

The GDPR is going to change how your marketing team gets this data. The GDPR requires companies to be transparent with data subjects about the fact that they are processing their data, why they are processing it, and how it’s being used. Under the GDPR, new leads and existing contacts will have to actively choose to receive communications from your marketing team in most situations (more formally known as consent, a lawful basis for data processing under the GDPR).

In this post, we’ll look at which marketing methods align best with the GDPR, how legitimate interest and consent can both serve as lawful bases for different marketing activities, and more. 

Out With the Outbound, In With the Inbound (Marketing) Under the GDPR

In the past, outbound marketing methods like bulk emails and cold calling were popular strategies for marketing your business. These techniques push out a message to as many people as possible. However, under the GDPR, most outbound marketing strategies will be non-compliant because they typically don’t seek out the contact’s explicit consent to receive communications. But today, more marketers are using an inbound marketing strategy, which lets potential customers find their businesses more organically and actively choose to interact with a company (think social media, blogging, etc.), which aligns better with the principles found in the GDPR.

The good news is that inbound marketing methods are proving to be more successful than outbound in most cases and require less effort and cost to support than outbound marketing methods. (You can read more about inbound vs. outbound marketing here, if you’re interested.) While specific marketing strategies will vary depending on whether you’re a business-to-customer (B2C) or business-to-business (B2B) marketing organization, inbound marketing methods like the following align much better with the GDPR:

  • Web Site – Your web presence should showcase services and products and offer straightforward, simple ways for potential clients to contact your company and to consent to further communications.
  • Email Marketing – Your contacts must proactively sign up (e.g., opt-in) to receive newsletters, product emails, etc., and there needs to be a clear, easy way to unsubscribe to these emails. When they sign up for a newsletter or similar communication, your consent form needs to explicit about exactly what they’ll receive in return.
  • Marketing Platforms and Tools – Marketing platforms can help you easily manage your contacts, set up consent forms, manage consent withdrawals, and effectively communicate with your contacts.
  • Referrals – By being transparent with your contacts and providing them the choice to communicate with your business, you are building better relationships and cultivating trust. This can lead to your contacts referring their own connections to your business.

Under the GDPR, the goal is to give your contacts control over the data they provide you, so they only receive the information they want and so they can stop receiving communications whenever they want. Most inbound marketing techniques can provide data subjects with this level of control.

Choosing a Lawful Basis for Marketing Purposes

Under the GDPR, you need to have a legitimate reason to collect and process an individual’s data – something called “lawful basis.”

While there are a total of six lawful bases for data processing under the GDPR, consent or legitimate interest are the only two you can use for processing data for marketing purposes. Consent will probably apply most often, but the GDPR provides an opportunity for marketing without the prior consent of a data subject under the lawful basis of Legitimate Interest.

For B2C marketing, the contact must give consent to receive marketing communications. But for B2B businesses, EU Member States have more freedom to ensure the legitimate interests of corporate data subjects are protected from unsolicited communications. This means they can introduce stricter requirements around B2B marketing communications. To ensure compliance with both the GDPR and Member-State requirements, organizations dependent on B2B marketing should clearly communicate their privacy policies and consent procedures to their contacts and be open about the fact that certain services or communications may be limited if the contact opts out of consent.

But the GDPR also provides an opportunity for marketing without the prior consent of a data subject under the lawful basis of legitimate interest. However, there are specific parameters (which can be tested through a legitimate interest assessment (LIA) in coordination with your legal counsel) that organizations using legitimate interest as a lawful basis must meet. The LIA should document any possible consequences of data processing including the impact on a data subject’s privacy, wellbeing, and expectations.

Let’s take a look at these two lawful bases and determine which marketing activities each one applies to.

Applying Legitimate Interest as a Lawful Basis for Marketing

Legitimate interest is sometimes assumed to be the “catch-all” lawful basis for times when it isn’t convenient to request a data subject’s consent. However, under this lawful basis, businesses are only able to process data if they understand it to be a reasonable expectation of the customer, like for purposes of customer communications and fraud prevention. In these scenarios, legitimate interest can be used as a lawful basis for both B2B and B2C relationships. An example of reasonable expectation for a B2B would be if an organization sent an existing customer an update about a service or product they have already provided to the customer. Conversely, legitimate interest would not apply to a newly established business relationship or to the promotion of a new or enhanced service/product. 

Marketing departments using legitimate interest as the basis for processing must notify data subjects that they have the right to object to the profiling and processing of their data. This right needs to be explained explicitly to the data subject at the beginning of processing and periodically thereafter. If a data subject refuses or objects to processing, the marketing team must erase the individual from their target list and cancel services free of charge. 

Legitimate interest cannot be used as the lawful basis for data processing when the processing overrides the fundamental rights and freedom of a data subject, particularly children. To determine whether or not an activity may infringe on a data subject’s rights, organizations should perform a LIA determine if an action has an effect on the customer’s reputation and the business/data subject relationship. The purpose of the balance test is to streamline the communications between the business to data subjects to ensure customers only receive the information that is important to them.  

The implementation of the GDPR also applies to any previously collected data that may still be under the possession of a data controller. Marketing teams cannot continue to store collected data for contacts who have already requested to opt out of data processing services or activities. 

Using Consent as a Lawful Basis for Marketing Purposes

To be compliant with the GDPR, organizations should focus on attaining consent for most of their marketing activities. Although consent can be a complex lawful basis due to the right of withdrawal, it is the most favorable lawful basis in the eyes of EU regulators and authorities. The EU created the GDPR to build more transparent organizations; therefore, businesses who make the effort to build a marketing model based on consent not only earn the respect of their customers, but also of EU authorities.

Consent is the only one of the six lawful bases that allows for the tracking and profiling of a data subject’s information for behavioral advertising, data brokering, and digital-marketing research activities, which are considered essentials for most marketing departments. In order to keep using these methods, these organizations will have to gain and maintain the consent of their customers.

A good first step is to create an email (or similar communication) that provides opt-ins for informational, service/product-based, and marketing communications to send to your existing contact base (including current, past, and potential clients). This method will provide marketing teams with an initial pool of consenting contacts and the information and the accountability they need to demonstrate that they have acquired consent for the use of data processing. It is especially critical that B2B marketers know their business partners and contacts have provided consent before including them on a marketing list for future communications.

Download our consent checklist for a quick and easy reference guide!

  Get the Checklist


The Impact of the GDPR on Marketing

The GDPR will greatly impact the way international organizations market their services and products and will require many organizations to gain consent prior to beginning communications or services. The most important factor for marketers aligning with the GDPR will be proving that they have either gained consent from their contacts or can meet the requirements of the legitimate interest to process data. Consent has been an ambiguous topic within marketing for a long time – an issue the EU is trying to rectify. Although the GDPR’s consent requirements are stringent, organizations that prepare in advance and emphasize inbound techniques for marketing can build a respectable reputation and avoid the heavy fines of non-compliance.

Disclaimer: Focal Point Data Risk, LLC is not a law firm and does not provide legal advice. This content is intended for informational purposes only.


Want more GDPR insights like this?

Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.