GDPR: Which is best, 'Legitimate Interest' or 'Consent'

GDPR: Which is best, ‘Legitimate Interest’ or ‘Consent’?

‘GDPR’ can be a minefield. Nowhere is this more apparent than on the subject of processing data. Most firms will have a choice of either the legitimate interest route or consent. But which is best?

Let’s start by saying there are many different ways to obtain permission under the General Data Protection Regulation (GDPR), and each one impacts the rights of your prospects/customers. The table below explains.

 Right to erasureRight to portabilityRight to object
Legitimate interestsYesNoYes
Legal obligationNoNoNo
Vital interestsYesNoNo
Public taskNoNoYes

* but with the right to withdraw consent

Most marketing executives will look at using either legitimate interest or consent (unambiguous or explicit). Let’s look at these in more detail.

Legitimate Interest (LI)

LI requires you to prove the processing of a person’s data is necessary for your legitimate interests. You will need to complete a Legitimate Interest Assessment where you detail the reasons why you believe you have the right to process their data.

It’s crucial this is documented and stored as evidence, showing that you balanced the rights of individuals with your desire to process their data.

But as you can see from the table above, a person has the right to object, which would mean you can no longer process their data. Also, it has not been made clear that if one person successfully objects to your legitimate interest, does that mean the data of everyone in the same group cannot be processed? There could be a domino effect.

Also, if enough people challenge your LI and raise the issue with the Information Commissioners Office, you could be investigated and possibly fined.

An example of LI is downloading candidates from a job board. They may not have expressly given you consent to process their data, but uploading their CV suggests they are keen to hear about potential jobs.

In the example of a job board, you would also need to check if during the act of uploading their CV did they give consent for recruitment agencies and hiring organisations to contact them.


Consent comes in two forms, unambiguous for most data and explicit for sensitive data. In both cases, the individual has given clear consent for you to process their data for a specific purpose (although they still have the right to withdraw consent at a later date).

An example would be a candidate who registers with a recruitment agency on their website. They give their contact details and tick a box permitting the agency to store and process their data.

Which is best for marketing?

I believe consent is the best route. This is less to do with GDPR and more to do with permission marketing. Even if GDPR had not been introduced, I would still recommend getting marketing consent.

It has been proved several times that you will get a better response and more loyalty from people that have given you marketing permission (consent).

They are clearly interested in what you are selling and therefore less likely to complain about the volume of marketing, less likely to unsubscribe and more likely to recommend your company to friends. They are worth investment.

By contrast, individuals you contact based on LI have never given you permission, may not have heard of your company and you are guessing they want/need your product at that time.

Talking to many executives, it seems the guys in the Data Department favour legitimate interest, but experienced marketers see the value of consent.

Get my latest blog posts and reports delivered straight to your Inbox, just 8 times a year. It’s free but not cheap. Complete the form below to receive the Marketing Graham Bulletin; you can unsubscribe at any time.

Marketing Graham Bulletin
You can unsubscribe at any time and I will never sell your data to third-parties. For information on how I care for your data, check the Privacy Notice.

Leave a Reply