What is Legitimate Interest anyway? GDPR expert Liam McKenna discusses on The B2B Show

By Ian Blake on 30 August 2018 at 10:58:18 BST


If you've had your head in the sand regarding the GDPR, it’s time to get unstuck. That was the message from GDPR specialist Liam McKenna from Mazars when he spoke to Squaredot’s Managing Director, Ian Blake recently for The B2B Show.

The panic may have subsided and the dust might have settled on the GDPR - heck, you might even have noticed a reduction of spam in your email inbox - but businesses can’t be complacent when it comes to compliance. New EU data regulations, rolled out on May 25 this year, aren’t going anywhere. The plot thickens when businesses consider all the other regulations, in addition to the GDPR, that they must consider, most notably ePrivacy regulation, the details of which are still being worked out.


‘The privacy statement on your website is the most visible thing you're going to have with regards to GDPR.’

- Liam McKenna, Consulting Services Partner, Mazars


GDPR compliance and bare minimum - privacy statements, subject access requests, breach management

According to Liam, there are 3 features that all businesses must implement in order to be minimally compliant - privacy statements, subject access requests, breach management.

Websites are typically ‘shop windows’ into a business and from a GDPR perspective, it's the most visible part of a business’s compliance project. ‘If the commissioner were to receive a complaint they could look at your website and say, okay, these guys have obviously done something for GDPR,’ explained Liam. Or they could say they're using an old data protection statement there. There’s nothing about cookies on the website. We need to focus in on these guys.’

Writing a website privacy statement is difficult to do unless the business has painstakingly addressed what it is they actually do with the data they gather on individuals. According to Liam, at its most basic, compiling a spreadsheet outlining processes on data handling will inform the privacy statement that the business produces for for its website. ‘That is the is the very basic starting point for any GDPR project,’ he said. ‘It asks a number of questions: why we think we're allowed to use this data and who we share it with. It's very hard to write a privacy statement if you haven't actually gone through that [list of questions].’

Subject access requests are when customers or clients request all the data that a company is holding on them as an individual.

When a subject access request is received, the company dealing with it has a limited timeframe in which to comply and compile a response. As soon as the request is received via email, the company is on the clock.

Essential to preparedness is knowing where everything is, and being able to pull lists posthaste. Solid procedures designed to deliver this information is key to compliance in this area, according to Liam. ‘That includes emails, that includes your core system, that includes spreadsheets,’ he said. ‘Just extracting the data and making it available [is important.] To me, if you're not able to do that, you're going to be in trouble.’

Various organisations, depending on their maturity, have chose to implement IT solutions for subject access requests and understanding retention periods. For smaller businesses, satisfying the commissioner doesn’t have to be high-tech - it just has to be done. Being a small or underformed business doesn’t get you off the hook, according to Liam. Lack of dedicated staff training or procedures designed to handle requests are finable offences, and precedents will be inevitable. In many respects, said Liam, the GDPR is an exercise in people expressing their rights - and this is the hallmark of a progressive society. ‘[Businesses must] be prepared for the fact that we’re anticipating a numbers of rights of the individual,’ he said.

Establishing protocol around reporting data breaches - and again, doing it quickly - is the third consideration for minimal GDPR compliance. Data breaches must be reported to the commissioner within 72 hours of the time the breach is first detected. For instance, if a malicious insider leaks personal data on to the internet, the business responsible for gathering the data must deploy a rapid response team to deal with the repercussions of this. At the same time, they have a limited amount of time to notify and submit an explanation to the commissioner on how it happened and most importantly, how it was allowed to happen. ‘ If the commissioner finds out that you know you've been sitting for two months on a data breach, and you were aware of that, the likelihood is you'll get fined twice, once for the data breach and once for the breach of the reporting obligation,’ said Liam.

B2B database management

B2B marketers’ bread and butter are their databases. But until details of legitimate interest are finaliased in ePrivacy regulation in 2019 (an enhancement of the 2002 electronic communications directive), businesses can expect a lot of noise and anything but definitive answers. Early advice from Liam suggests staying ahead of the curve and defining what legitimate interest means to a specific business - with the caveat that it could all change.

Since data constituting legitimate interest data is made up of contacts added over the years, Liam’s own organisation took a hardline over what could safely fall into that category. ‘Twenty percent of our email addresses were Gmail, Yahoo, things like that. We were like, this is clearly not a business email address, but what do we do with it?’ said Liam. ‘We put customers we had dealt with within the last year [into the legitimate interest category] so long as we were communicating only about our own services. We decided to remove all of the personal email addresses from our marketing database.’

Sales and marketing are different animals in a post-GDPR world

The waters are muddied around whether businesses have the right to communicate with individuals or not. Generally,  dealing with business data should be more straightforward than dealing with personal data. While the GDPR touches on many different areas of a business, incoming ePrivacy regulations will primarily be concerned with the sales and marketing.

According to Liam, a rough rule of thumb is that communication which isn’t marketing, is sales - and if it’s sales, legitimate interest is a valid, applicable concept. ‘The marketing email is a mass email to a thousand people or 10,000, whatever it is. And then you have a sales email, which is someone you meet at a conference and you get their business card,’ he said. ‘That’s the difference between a sales and a marketing email.

Talking about the future, Liam McKenna said that despite the uncertainties GDPR and ePrivacy, enhanced regulations are good for business and for society, generally. In that respect, establishing a better culture of privacy within organisations, and more broadly, can only be a good thing.

LISTEN TO THE FULL PODCAST ON THE B2B SHOW