GDPR: Which is best, 'Legitimate Interest' or 'Consent'

GDPR: Which is best, ‘Legitimate Interest’ or ‘Consent’?

‘GDPR’ can be a minefield. Nowhere is this more apparent than on the subject of processing data. Most firms will have a choice of either the legitimate interest route or consent. But which is best?

Let’s start by saying there are many different ways to obtain permission under the General Data Protection Regulation (GDPR) and each one impacts the rights of your prospects/customers. The table below explains.

  Right to erasure Right to portability Right to object
Consent Yes Yes No*
Legitimate interests Yes No Yes
Contract Yes Yes No
Legal obligation No No No
Vital interests Yes No No
Public task No No Yes

* but with the right to withdraw consent

Most marketing executives will look at using either legitimate interest or consent (unambiguous or explicit). Let’s look at these in more detail.

Legitimate Interest

This requires you to prove the processing of a person’s data is necessary for your legitimate interests. It normally requires you to complete a Legitimate Interest Assessment where you detail the reasons why you believe you have the right to process their data.

It’s important this is documented and stored as evidence, showing that you balanced the rights of individuals with your desire to process their data.

But as you can see from the table above, a person has the right to object which would mean you can no longer process their data. Also, it has not been made clear that if one person successfully objects to your legitimate interest does that mean the data of everyone in the same group cannot be processed? There could be a domino effect.

Also, if enough people challenge your legitimate interest and raise the issue with the Information Commissioners Office, you could be investigated and possibly fined.

An example of legitimate interest is downloading candidates from a job board. They may not have specifically given you consent to process their data, but uploading their CV suggests they are keen to hear about potential jobs.


Consent comes in two forms, unambiguous for most data and explicit for sensitive data. In both cases, the individual has given clear consent for you to process their personal data for a specific purpose (although they still have the right to withdraw consent at a later date).

An example would be a candidate registers with a recruitment agency on their website, they give their contact details and tick a box giving permission for the agency to store and process their data.

Which is best for marketing?

I believe consent is the best route. This is less to do with GDPR and more to do with permission marketing. Even if GDPR were not being introduced, I would still recommend getting marketing consent.

It has been proved several times that you will get a better response and more loyalty from people that have given you marketing permission (consent).

They are clearly interested in what you are selling and therefore less likely to complain about the volume of marketing, less likely to unsubscribe and more likely to recommend your company to friends. They are worth investment.

By contrast, individuals you contact on the basis of legitimate interest have never given you permission, may not have heard of your company and you are guessing they want/need your product at that time.

Talking to many executives, it seems the guys in the Data Department favour legitimate interest, but experienced marketers see the value of consent.

Get my latest blog posts and reports delivered straight to your Inbox, just 8 times a year. It’s free but not cheap. Complete the form below to receive the Marketing Graham Bulletin; you can unsubscribe at any time.

Marketing Graham Bulletin

Data protection laws stipulate I must get permission to store your data and send you emails. So please tick the box.

Yes, please send me the Marketing Graham Bulletin no more than 8 times per year. I understand that I can unsubscribe at any time by clicking the link in the footer of your emails, and you will store my data but never sell it to third-parties.

For information on this websites privacy practices, please visit my Privacy Notice
I use MailChimp as my marketing platform. By subscribing you acknowledge that your information will be transferred to MailChimp for processing. Learn more about MailChimp's privacy practices here.

Leave a Reply