Like many people involved in GDPR compliance, I’ve been waiting around for guidance from the Information Commissioner on whether legitimate interests can be used as the basis for Direct Marketing.

The problem was that the GDPR says, rather vaguely, that legitimate interests may be used as a reason to process data for direct marketing. The Data Protection Network have produced some really useful information on this top, and I’ve been through all of their documentation but some lawyers informed me that it wasn’t until we got the guidance that we would be able to understand whether or not we could use legitimate interests.

Today however, I came across this great blog from Elizabeth Denham at the ICO which says “there’s no need to wait for that guidance. You know your organisation best and should be able to identify your purposes for processing personal information.

Whatever you decide, you’ll need to document your decisions to be able to demonstrate to the ICO which lawful basis you use. Data protection impact assessments will be able to help you with the task of understanding how you can meet conditions for processing and make your business
more accountable under the GDPR.”

She goes on to say “I know many people are waiting for us to publish our final guidance on consent. Businesses want certainty and assurance of harmonised rules. Waiting until Europe-wide consent guidelines have been agreed before we publish our final guidance is key to ensuring consistency. The current timetable is December.
But the ICO’s draft guidance on consent is a good place to start right now. It’s unlikely that the guidance will change significantly in its final form. So you already have many of the tools you need to prepare.

Finally, when we do publish our formal guidance on consent, it will not include guidance on legitimate interests or any other lawful bases for processing. It’s guidance on consent and will only cover consent.”

So cracking on with establishing your basis for processing data seems to be the message.

If you need help with any of these concepts or with establishing you legal basis for holding data for direct marketing, please drop me a line at