Speaking at the GDPR Summit London, Julia Porter, from the DMA, grappled with the thorny topic of consent versus legitimate interests. It’s a crucial issue concerning marketers and GDPR.

GDPR is not about making business difficult began Julia: it’s about treating your customers fairly.

Under GDPR there are six lawful bases for processing personal data. But for marketing purposes, the two most popular are consent and legitimate interests.

For consent, the individual must have given clear consent.

For legitimate interests, processing must be necessary for your legitimate interest or your customers.

  • freely given
  • specific
  • informed and unambiguous
  • unbundled
  • granular
  • named
  • documented
  • and easy to withdraw.

Julia says that consent has become something of an obsession, and is seen by many as a kind of gold standard. But under GDPR, no lawful basis is more important than any other.


  •   Unambiguous,
  • easier to implement,
  • perceived as a gold standard.


  • It’s a one-off opportunity, if you ask for consent and it is not given, there is nowhere to go, it’s sudden death.
  • Response rates will be depressed relative to legitimate risks interests as opt-in is required.

Legitimate interests

She gave as examples of legitimate interests:

  • Fraud detection and prevention
  • Compliance with foreign law
  • Industry watch lists and self- regulatory schemes
  • Information, system, network and cyber security
  • Employment data processing
  • General Corporate Operations and due diligence
  • Product development and enhancement
  • Communications and marketing.

It is that last point on the above list that surprises many.

GDPR is clear, Recital 47 states it in black and white: “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”

Complexity is added by a different regulation – PECR. This requires that in most cases people have to give consent to receive emails, but there is a line that refers to soft-in. So if you have collected someone’s email in the course of doing business, and there is an opt-out option, you can send them emails, subject of course to various requirements under PECR, including strict rules on providing opt-out opportunities for the recipient of an email.

So, what are the pros and cons of legitimate interests?


  • Flexible and not purpose specific
  • long term security over processing of data
  • risk based approach to compliance:


  • To justify legitimate interests, it is harder to demonstrate compliance,
  • It means you take on more responsibility for protecting the interests of individuals.

Julia reminded delegates that GDPR is about lawfully, fairly and transparently processing customer’s data.

She referred to an IPSOS poll that found 69 percent of people distrust advertising. But with digital display, click through rates are just 0.05 to 0.1 percent. So the size of a database less important than its quality. And building trust is crucial. So applying GDPR principles is not just a case of something you have to do because it’s law, it is something you have to do because it’s vital to marketing success.

To hear more from data protection experts to help your organisation on its journey to compliance, attend the next GDPR Summit London.