GDPR and Legitimate interest re B2B marketing

Dear All,

Here is a practical view of B2B vs Consumer marketing. I have known Malcolm for many years and he is a marketing professional, whose advice we have taken in the past.


Malcolm Says:-


How Can You Continue To Use Bought-In Mailing Lists and Cold Email To Generate Sales?

GDPR Allows Six Lawful Bases For Processing Personal Data. Consent is one of the six, but Legitimate Interests is a more suitable reason for B2B sales and marketing.


Legitimate Interest is one of the six lawful bases for processing personal data under the GDPR and you must have a lawful basis in order to process personal data in line with the ‘lawfulness, fairness and transparency’ principle.


Legitimate interest might be your own interest, or the interest of the third party receiving the data, or a combination of the two.


The latest guidance from the Information Commissioner says that legitimate interest may be the most appropriate basis when:


“the processing is not required by law but is of a clear benefit to you or others; there’s a limited privacy impact on the individual; the individual should reasonably expect you to use their data in that way; and you cannot, or do not want to, give the individual full upfront control (i.e. consent) or bother them with disruptive consent requests when they are unlikely to object to the processing.”


Crucially for marketers, direct marketing is described in the GDPR as an activity that may indicate a legitimate interest.


However in order to be a legitimate interest the direct marketing must be legal: as it is legal for businesses to market to individuals at other businesses by post, by email, by text and by phone (as long as the number is not registered with the CTPS) many businesses will be able to use legitimate interests as their basis for processing personal data for direct marketing purposes.


What you must do if you decide to use legitimate interests as your basis for processing personal data for direct marketing purposes?


As with much of the new Data Protection Regulation, much of the work that you need to do revolves around writing policy documents.


  1. Carry out a legitimate interest assessment. 

Assess each part of a three-part test, and document the outcome so that you can demonstrate that legitimate interest applies. The three tests are:


Purpose test – is there a legitimate interest behind the processing? In the case of direct marketing, yes there is a legitimate interest for your business in using direct marketing in order to promote itself.

Necessity test – is the processing necessary for that purpose? You need to demonstrate that the processing is necessary for the purposes of the legitimate interests you have identified. This doesn’t mean that it has to be absolutely essential, but it must be a targeted and proportionate way of achieving your purpose. In the case of direct marketing, yes it is necessary to use direct marketing to promote your business.

Balancing test – is the legitimate interest overridden by the individual’s interests, rights or freedoms? With regard to business-to-business marketing, the Information Commissioner says: “business contacts are more likely to reasonably expect the processing of their personal data in a business context, and the processing is less likely to have a significant impact on them personally”. So in the case of direct marketing and email marketing to business contacts, the legitimate interest is not overridden by the interests of the individual, who as a business person with decision making and budgetary responsibilities can reasonably expect to be contacted with marketing material relating to his or her professional role.

You must carry out these assessments and document these three tests.

  1. Update your privacy notice to clearly say that you are relying on legitimate interests as your lawful basis, and say what your legitimate interests are.
    Electric Marketing has updated its privacy policy to show that we are relying on legitimate interests to process data.
  2. Communicate that you are using legitimate interests as a reason to process personal data.

The Information Commissioner has not offered any guidance on what it would accept as sufficient communication to the data subject that you are relying on legitimate interest as a basis to process personal data, but we have noted a few emails coming into the office with notices at the foot saying

“GDPR and this email. As a GDPR compliant company, we would like to explain why you have received this email. We believe that you have a legitimate need for office furniture within your business. From our research, or from information that you have provided, we have identified your email address: as being the appropriate representative to address within the organisation. We have deemed this to represent a legitimate interest in line with the ICO’s guidance.”



Malcolm Rae


Astle House, Snelson, MACCLESFIELD, Cheshire SK11 9AW, United Kingdom
Tel: +44(0)1625 890500

Business Lists UK are members of the Direct Marketing Association (DMA)


This email and the information it contains is confidential and may be privileged. It is intended only for the named recipient(s). Access to this email by anyone else is unauthorised. If you have received this email in error, please notify us immediately. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Views contained in this email do not necessarily represent the views of the company.


Leave a Reply

Your email address will not be published. Required fields are marked *