GDPR- Legitimate Interest and Direct Mail


How you can use Direct Mail in a compliant manner under the new GDPR regulations


When the General Data Protection Regulation (GDPR) comes into effect in May 2018, it will bring with it several changes to the way ‘consent’ is considered in relation to the processing of personally identifiable information (PII). As importantly, it will also update the key principle of ‘legitimate interest’. These are two of the six legal bases for lawful processing and the most important ones when it comes to marketing communications.

Legitimate interest looks at balancing the interest of the data controllers and the data subjects and is particularly important as regards to direct mail which remains an opt-out media where consent is not required but legitimate interest may be argued.

Mapping the differences between the Data Protection Act and the GDPR we can see the changes clearly and the intention behind them. 

Legitimate interest under the Data Protection Act states " The processing is necessary for the purposes of legitimate interest pursued by the data controller or the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms of legitimate interests of the data subject."

Legitimate interest for GDPR is "The legitimate interests of a controlled, including those of a controller to which the Personal Data may be disclosed, or of a third party, may provide a legal basis for processing, providing that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. This will not be applicable if carried out by public authorities in the performance of their daily obligations."

Under GDPR if legitimate interest is to be used, the reason for processing must be necessary, real and not vague. There is a real need to balance interests of the business against those of the consumer (considering their rights and interests) and this needs to be done formally through a documented legitimate interest assessment to provide evidence.

Some companies are electing to go opt-in only for direct mail (particularly charities) and rely on consent only, but they don’t have to as legitimate interest is regarded as perfectly valid by the ICO, as long as the business is really making a considered case.

This will be a tough balancing act along with undoubted confusion over practicalities of when it can be used in relation to processing PII. Studying the regulations and the guidance closely, Paragon has looked at both when it might be appropriate to use legitimate interest and have developed a view as to what would constitute a best practice approach to balancing the needs of the customer and the organisation. An outline of his methodology is shown in the infographic on the left. Click on the image to download it.

Paragon sends out 4 million communications every single day a year on behalf of its clients and each person in the UK gets a piece of our print through their door every single day. We know how effective direct mail can be and you will want to make sure that post GDPR you are still benefiting from the impact of this powerful media and doing the right thing for your customers

Be prepared for GDPR

To understand the full scope of legitimate interest within GDPR and how it will impact on direct mail. Or to ensure  you are prepared for  GDPR generally, please get in touch to find out more or discuss with our GDPR experts at Paragon Customer Communications.



Marc Michaels

Director of Strategy & Insight | Paragon Customer Communications


M: +44 (0)7875 134 818

Paragon Customer Communications offer a full range of services in relation to GDPR covering data exploration, consent and preference management (Preference Centres), re-permissioning and Breach Notification.  These services will help you know exactly where you stand and what you need to do next to gain compliance.