« Back to all posts

Your plain English guide to preparing your agency for GDPR: Part three

Land Insight to 17 April NS

PART THREE: Marketing processes

Do not delete your database

A small minority of organisations have chosen to delete their databases rather than look at ways to repurpose them and achieve GDPR compliance.

This is the last thing that agents should do, as their databases hold an abundance of revenue-generating opportunities.

Especially when considering that it is easier than you might think to get your database GDPR compliant. That is, if you do it in the correct manner.

Be informed about your lawful basis

One of your first key actions is to make sure that you fully understand the lawful reasons that you can use to process personal data.

Evaluating and choosing which lawful basis you are going to rely on will help you to justify why you are communicating with any contact within your database both pre- and post-GDPR enforcement.

There are six lawful bases for processing, which are as follows:

Consent: Personal data may be processed on the basis that the data subject has consented to such processing.

Contractual necessity: Personal data may be processed on the basis that such processing is necessary to enter into or perform a contract with the data subject.

Compliance with legal obligations: Personal data may be processed on the basis that the controller has a legal obligation to perform such processing.

Vital interests: Personal data may be processed on the basis that it is necessary to protect the “vital interests” of the data subject (this essentially applies in “life or death” scenarios).

Public interest: Personal data may be processed on the basis that such processing is necessary for the performance of tasks carried out by a public authority or private organisation acting in the public interest.

Legitimate interests: Personal data may be processed on the basis that the controller has a legitimate interest in processing the data, provided that such legitimate interest is not overridden by the rights or freedoms of the affected data subjects.

In most instances, it is likely that there will be four lawful bases that might apply to agents when storing or processing a contact’s personal data. (Again, though, it is your responsibility to choose the appropriate lawful basis, based upon what you are trying to do with the data.)

The four bases that will likely apply are as follows:

Compliance with legal obligations: There are a number of legal obligations that require agents to collect, store or process personal information for set periods of time. As you identify these, you should document them in your Privacy Policy so that your customers are made aware of them.

Contractual necessity: In order to fulfil certain transactions, or contractual obligations, agents are required to process or retain certain information. This would be applicable to complete a valuation request, for example.

Consent: In terms of your marketing, gaining consent from your contacts means that you have positive opt-in to send marketing communications to them.

You may consider using consent if:

  • You feel that you cannot justify a historical relationship with certain contacts in your database
  • You have no evidence of them consenting to receive information from you
  • They would not reasonably expect to hear from you
  • You have acquired them from purchased data
  • You do not have documented registration details

Legitimate interest: If you are relying on legitimate interest, you will need to conduct a Legitimate Interest Assessment (LIA) before processing data. This involves conducting a balancing test and showing justification for the criteria that informs your decision to use legitimate interest.

If you can show evidence that you have an existing relationship with your contacts based upon current or previous transactions, i.e. they have bought a product or service from you in the past or willingly gave you their details when they registered with you, you may consider using legitimate interest to continue to send marketing-related communications.

However, you must have offered them a way to opt out of receiving your communications in the past.

If you did not, then you did not give them a way of exercising their customer rights, and you will need to consider using a more appropriate lawful basis for processing.

Consent and legitimate interest in the context of marketing

Until recently, legitimate interest has probably been the most misunderstood lawful basis for processing by most businesses. In light of the recent update on legitimate interest issued by the ICO, many agents will now feel comfortable using this lawful basis.

However, there are some stipulations that you should be made aware of.

In terms of your lawful basis for marketing, it is reasonable to assume that agents will use either consent, legitimate interest or a mixture of both, as each individual data subject should be judged on their own merits.

The fundamental difference between these two lawful bases is as follows: If you choose to use consent as your lawful basis for processing, the individual has given you clear consent for you to process their personal data for a specific purpose, e.g. for direct marketing, so you have evidence to support your lawful basis for sending them marketing communications.

If you choose to use legitimate interest, it is your responsibility to show justification for why you are sending them marketing communications, and you therefore become more accountable for how you process data under this basis.

If you are considering using legitimate interest, you should undertake a Legitimate Interest Assessment (LIA) and conduct a three-part test which will help you to understand what you are trying to achieve from your direct marketing messages, and if they will have any impact on your customers and their rights.

Although not a prerequisite under GDPR, the ICO states that it is considered best practice to document your reasoning about how the lawful basis applies to that particular processing.

You will also have to tell customers upfront that you use legitimate interest as your basis for processing. This information should be made available within your Privacy Policy.

If you are going to use legitimate interest to send marketing communications, you should evaluate the following:

  • When you send marketing communications to your contacts, are you able to service the rights of your customers in terms of enabling them to opt out of receiving communications from your business?
  • Do you have an established relationship with your customers, and would they reasonably expect you to send them marketing communication?
  • Can you justify that your customers would not object to the processing of their data to receiving marketing communications from you?

If you feel that you can positively answer these questions, you may be able to use legitimate interest to process data for marketing.

However, agents should also be aware of the upcoming changes to e-privacy laws, as these may require that you obtain consent to send marketing communications. The EU is in the process of replacing the current e-privacy law (PECR) with a new ePrivacy Regulation (ePR). However, the new ePR is yet to be finalised.

Pros and cons of using consent and/or legitimate interest

For the purpose of direct marketing, you as a business will need to determine which lawful bases for processing you are going to use in order to send communications that comply with the GDPR.


If you are relying on consent, then you might choose to actively inform new and existing clients that you need them to opt-in to receive marketing communications from you. You can consider using granulised preferences or a simple ‘yes’ or ‘no’ soft opt-in option.

Again, though, it is your responsibility to decide how you would like to proceed. Bear in mind that, if you do ask for consent, you are actively asking your contacts to perform an action to provide you with unambiguous consent to receive marketing from you. You could use consent to re-permission existing customers or to register new ones.


  • The contact has actively stated that they want to receive marketing communications and – if you record consent correctly – you will have evidence to support this.
  • Offering granular preferences further enhances your ability to provide each contact with information that they choose, putting them in greater control of how their data is used, as they can actively opt-in or opt-out of receiving certain types of information from you. Granular preferences will also enable you to qualify your leads more efficiently, as you will know what each contact wants from your business at a particular time in their journey. If you offer a dedicated preference portal that the contact can log into and update their preferences at any time, then they can renew the type(s) of information they would like to receive as their circumstances change.
  • When the EU update e-privacy laws, consent could be a necessary requirement. If you already have consent in place, you would be in an advantageous position in relation to your competitors.


  • If you do ask for consent and the contact does not perform the action you require, then that contact may become unavailable to you following the enforcement date of the GDPR, as silence or inactivity equates to opt-out under the GDPR.
  • You may actively encourage unsubscribes because you are giving your contacts a choice to perform an action.
  • Re-permission emails could be seen as being disruptive to your communications strategy, if the contact was unlikely to object to receiving marketing communications in the first place.

Legitimate interest

If you are relying on legitimate interest, you will have to work to meet the accountability factors required by the GDPR.

Although not a prerequisite of the GDPR, it is strongly advised that you document your justification for relying on legitimate interest.

You will need to identify your precise purpose for any direct-marketing communication sent under this lawful basis, take your customers’ rights into account and determine if your communications will have any detrimental impact on them.

You will have to make the customer aware of why they are receiving that particular communication from you – you should also document this in your Privacy Policy and make it assessable for customers to find on your website and within any subsequent marketing communications you send to them, as well as informing them from the point of registration that you use this lawful basis for processing.

The ICO notes that legitimate interest is more likely to apply where you have a “relevant and appropriate relationship” with the contact, and they would reasonably expect to receive marketing communications from you.

The ICO classifies this relationship as a “soft opt-in” relationship.

To determine if your relationship “is relevant and appropriate”, you should evaluate it in terms of whether the contact has recently bought a service or product from you, willingly given you their details, did not opt-out of receiving marketing communications from you – and you gave them the option to opt-out when you first collected their details, and whilst you were sending them marketing communications.

The ICO states that you may also be able to “disclose data” to the third parties you work with under this lawful basis.

So, you should make your customers aware of the third parties you use, if you intend to pass their data to them and what your justification is for this. Again, you should document this in your Privacy Policy.

You should also have processes in place to service a restriction of processing. If for instance, the customer objects to you passing their details on to a third party, you must be able to stop this from happening.

Caveats regarding legitimate interest:

Will your customers reasonably expect to hear from you?

If you choose to use legitimate interest, you need to be certain that you have assessed the precise nature of your relationship with each individual, and how you have used their data in the past.

Ask yourself the following questions: Would your customers reasonably expect to hear from you? Are they likely to object to the processing of their data? Would the processing have any detrimental impact on them? Did you offer a way for them to opt-out of receiving communications from you?

Would the processing prevent them from exercising their rights? If you process data in a way that is unexpected to the customer, they effectively ‘lose control of their data’ and may feel that they have not been reasonably informed to exercise their rights.

If you cannot positively answer questions similar to these, then you should look to use a different lawful basis for processing, such as consent.

How was your data collected?

If you obtained data from a third-party source, or you purchased the data, you need to evaluate the existing “consent” you have and determine if you feel that legitimate interest is the best lawful basis to use. If you cannot establish where the contact came from, then you might consider using consent as your lawful basis for processing.


  • Using legitimate interest equates to “business as usual” for your business in terms of sending marketing communications to your contacts.
  • Contacts are less likely to unsubscribe from receiving marketing communications from your business, as you are not asking them to perform a disruptive action. (Although you must ensure you make them aware that they can opt-out of receiving communications from you at any time).
  • If you make your customers aware of the third parties you pass data to, and you have a legitimate reason that explains the benefits to your business and the customer – and you do not infringe their rights – you might be permitted to market your third-party services to them in order to increase your revenue and enhance the service your provide to your customers.


  • You take on an added responsibility to adhere to and enforce your customers’ rights.
  • You will have to justify and document your assessment of how it applies to your processing activities.
  • You may not have explicit and unambiguous permission to send marketing communications to your contacts.

Richard Combellack is chief commercial officer at BriefYourMarket. https://www.briefyourmarket.com/

Disclaimer: BriefYourMarket.com is not a legal or regulatory body. This article is for informative purposes only. To understand your position in relation to the GDPR, please consult a/your legal advice organisation


Email the story to a friend

daily news
email from EYE

straight to your inbox

Join 20,000 industry colleagues
and subscribe to our free daily news email.

(You may unsubscribe at any time and we promise never to sell or pass on your email address)

Thank you! To complete the subscription, please click the link in the email we just sent you.


[ comments ]

Source:: Your plain English guide to preparing your agency for GDPR: Part three