A few weeks ago RNLI announced that it would be changing its approach to direct mail following a significant drop in donations. After the introduction of GDPR the charity only contacted people that had explicitly opted-in to receiving mail. However, according to industry research, on average databases were depleted by around two-thirds meaning that RNLI’s donor pool was likely to have shrunk considerably.

After almost a year and half of GDPR RNLI is suffering from two angles – a higher demand for its services combined with a drop the donations meaning that the charity is struggling. Already it has looked to cost-saving measures such as redundancies and increased recruitment for volunteers. In these tricky times, it has reassessed its approach to fundraising and has chosen to exercise its right to a legitimate interest, a clause outlined in GDPR which means that organisations can contact consumers irrespective of whether they have given their permission or not.

Legitimate interest is one of the six lawful bases for processing personal data and states that an organisation can process the personal information of consumers if there is an inherent benefit inherent for the company itself or for wider society. In this case, it is likely RNLI believes that it is in the best interests of the UK public to understand the fundraising needs of the charity – or else there may not be the funds available to save lives.

ICO recommends that when considering where or not to process data under legitimate interest an organisation carries out a three-stage test:

  1. Purpose test – is there a genuine legitimate interest behind the processing?
  2. Necessity test – is the processing necessary for that purpose?
  3. Balancing test – is the legitimate interest overridden by the individual’s interests, rights or freedoms?

GDPR does not have an exhaustive list of what purposes are likely to constitute a legitimate interest. However, the following purposes have been identified as constituting a legitimate interest:

  • Fraud prevention;
  • Ensuring network and information security; or
  • Indicating possible criminal acts or threats to public security.

Recitals also say that the following activities may indicate a legitimate interest:

  • Processing employee or client data;
  • Direct marketing; or
  • Administrative transfers within a group of companies.

Under the advice provided by ICO if legitimate interest falls under the last three activities (which is likely where RNLI falls) it will be necessary to identify the precise purpose of the activity and show that it is legitimate in the specific circumstances, and in particular that any direct marketing complies with privacy rules on consent. If unsure it is prudent to contact the ICO for advice or a GDPR specialist.

What is clear, however, if legitimate interest is taken up that Article 5 of GDPR will still apply. This means that the data being processed must be up to date and as clean as possible. There will be no excuse for contacting people that have passed away, for instance. This is why it is critical for the data to be cleaned before any mailing activity commences.