Consent or legitimate interest – a GDPR post mortem

Paul Smith, Director of Traka Automotive explores the 2 key options for GDPR compliance

How was your GDPR compliance experience? Was it an exercise in smooth project management or a blind scramble to delete personal data en masse before 25th May 2018 deadline?

It seems many dealerships were frankly led astray in those increasingly panicky months before the compliance deadline hit us. Many took the view that the only way to be assured of compliance with GDPR was to request everyone on their database to opt-in to receive future communications. The results of that decision were that consumers were hit with an avalanche of ‘please opt-in’ emails in the last month prior to ‘GDPR-Day’.

Response rates to these requests were understandably low. Reports that filtered back to me suggest that many dealerships were then forced to delete up to three-quarters of their databases. An expert consultancy in this area, MotorVise, conducted some research which indicated that complex multi-question opt-in requests were receiving a maximum of 20% response rate, in line with our anecdotal findings.

However, the new Data Protection Act 2018, combined with the latest guidance from Information Commissioner’s Office (ICO), indicates that probing whether communications with contacts is allowable under the ICO’s ‘legitimate interests’ guidelines may be a much more fruitful way of approaching GDPR compliance than seeking positive Consent which essentially requires that proactive opt-in.

Sure, legitimate interests guidelines demand a rigorous process and documentation which properly assesses whether it’s in the interests of the consumer that you keep in contact with them post-sale, but surely going down this route is not likely to demand that up to 80% of your database disappears overnight?

Of course, it’s not recommended to run the seeking consent process alongside legitimate interest establishment processing. But it seems reasonable that for the thousands of dealers now attempting to rebuild their databases post-GDPR, the legitimate interest testing approach could be the right one for ensuring that you are sending the right information and updates to the right consumers - based on what they are likely to find useful rather than a source of irritation or harm.

The ICO guidelines suggests that legitimate interests are likely to be “most appropriate where you use people’s data in ways they would reasonably expect, and which have a minimal privacy impact, or where there is a compelling justification for the processing.”

I have a conversation with a head of marketing at a major dealership earlier this month who said he was not at all sure whether he could send his customers reminders that their MOT deadline is coming up if that communication came with an option to book in a MOT inspection at their workshop.

However, surely on grounds of legitimate interest, this communication would pass as you are providing a useful reminder in a timely manner and have a service that addresses this particular statutory requirement?

After all, legitimate interests can be serving “your own interests or the interests of third parties. They can include commercia interests, individual interests and broader societal benefits.”

As you can see that is pretty broad. All you have to complete is a:

  1. Purpose test: Identify a legitimate interest
  2. Necessity test: Show that the data processing is necessary to achieve it and
  3. Balancing test: Balance the above against the individual’s interests, rights and freedoms.

In other words, to cover off #3 you need to have documented a consideration whether that customer might benefit from being alerted that their MOT is about to expire and that you have a way of solving that in a convenient way. After all, there are more than four million drivers apparently on the road without a valid MOT which is a prosecutable offence. According to the same research 16% of those without a valid MOT certificate said they didn’t realise they needed one. You can be fined up to £1,000 and your car impounded if you are caught without a valid MOT.

But if processing or sending communication to a person is likely to cause ‘unjustified harm’ or be over-intrusive, their interests will over-ride your legitimate interests. Fair enough. It seems to me that ICO guidelines in this vital area are really about clamping down on abuse i.e. over-communication through whatever means – direct mailing, email or phone calls, perhaps even online remarketing?      I think we all recognise this misbehaviour when we encounter it and no sensible dealership should be abusing the trust of the consumer in providing their contact details or digital cookies. Indeed, in the digital world it would be counter-productive as a poor Google review can do real damage to a dealership’s reputation and impact sales.

If you hand personal data onto third parties, you should consider why they want that data, whether they actually need it and what they will do with it. You need to demonstrate that the disclosure is justified. However, it will be their responsibility to determine their lawful basis for their own processing. That is why both Facebook and Cambridge Analytica (if it was still trading) might be in breach of GDPR in that Facebook allegedly did not do sufficient due diligence on third parties that it sold personal data access to; while Cambridge Analytica may have acted unlawfully in the way in which it handled 71 million personal data records. We’ll find out for sure as the legal cases play out over the next couple of years.

The good thing about the ICO guidelines is that it’s all there in its website. They list the questions that any dealership needs to be asking as part of the above three legitimacy tests. Questions like: “Are some people likely to object or find it intrusive?” And how big an impact might it have on some individuals including vulnerable individuals, spring out in the Balancing test questions. They even offer a lawful basis interactive guidance tool which essentially walks you through a questionnaire and then gives you an action plan to make sure you have documentary evidence of compliance. 

You also must tell customers who are subject to the Legitimate Interest tests that this is your approach and even detail what these interests are. It may be something you need to list in a contract letter which you present as part of the sales process for a customer signature.

You also need to remain ready to respond in a timely manner to data subjects’ requests for erasure, and right to be informed how their personal data is being processed.

Essentially what GDPR and the new Data Protection Act 2018 is all about is tipping the balance of power back in favour of the customer and away from the goliaths of the digital world. It is not aimed at car dealerships, as long as they do not abuse people’s personal data and are only sending them updates that they are likely to be interested in. Most of this is about common sense and, frankly, common decency: tell them what data you are holding on them for what purpose, what types of communications they are likely to get from you if you agree, and then give them the right to unsubscribe from all or part of these communications or even come off your database at a moment’s notice. In the digital marketing world, all this is much easier to handle than it used to be. The great thing is that the customer can self-serve themselves - unsubscribing from specific or all updates and communications from you, MOT deadline alerts included.