What are “legitimate interest allowances” and how do they apply to win-loss analysis?

The term “legitimate interest allowances” refers to circumstances wherein a controller may legally process personal data of a data subject without their explicit prior consent to do so.

To qualify, the processing activity in question must pass a three-part test:

• Purpose Test: Does the processing serve a legitimate, non-trivial business interest?
• Necessity Test: Is the processing necessary to serve the purpose? Have less intrusive alternatives been considered and deemed insufficient to serve the purpose?
• Balance Test: Does the processing pose any risk or harm to the data subject? Does the purpose being served justify the risk posed to the data subject?

The UK Information Commissioner provides helpful guidelines for conducting a legitimate interest assessment here.

In regards to win-loss analysis, legitimate interest allowances are widely considered adequate basis for processing due to the fact that (a) the data subject previously consented to data processing by the controller during their sales evaluation, (b) soliciting the prospect’s feedback at the end of the sales process is a reasonable, non-harmful use case that only involves business-related data, and (c) the processing serves a non-trivial business purpose for the controller.

Thus, there is widespread consensus that win-loss analysis passes the three-part test, and that organizations may contact prospects/customers for win-loss feedback without their prior consent.

What is a processor and can we use a processor (like Clozd) to conduct win-loss analysis?

When organizations (“controllers”) process data about their prospects or customers (“data subjects”), they often need the help of third-party products or services to do so. The third-party entities that provide these products or services are referred to as “processors”.

Consider this simple example. A bank wants to send account notices to its customers via email. To do so, the bank uses a third-party software solution to design and send the emails. Under the GDPR, the bank is the “controller” and the software vendor is the “processor.” The GDPR allows controllers (bank) to utilize the processor (software vendor) without the permission of their data subjects. However, the bank must ensure that personal data is safeguarded by the processor, and that the data is only used to fulfill the controller’s lawful processing activities.

In regards to win-loss analysis, most organizations do not have in-house tools and resources to capture and analyze win-loss feedback. Thus, most organizations enlist the help of a processor like Clozd to carry out win-loss analysis. Like the bank example above, this is allowable under the GDPR so long as certain safeguards and contractual agreements are in place between the controller and Clozd.

Can we legally send our win-loss invitation messages using the Clozd platform?

Yes. As discussed above, many organizations utilize vendors like Clozd to conduct win-loss analysis. When doing so, Clozd acts in the capacity of a “processor” as permitted under the GDPR. As a processor, Clozd may be utilized for any or all of the relevant processing activities such as:

• Filtering customer/prospect data to determine which data subjects should be contacted for win-loss feedback,
• Contacting data subjects to request win-loss feedback,
• Collecting their win-loss feedback through surveys or interviews,
• Interpreting and analyzing the data collected.

Furthermore, there is a common misconception that sending win-loss invitation emails through your existing email marketing system might somehow be preferable under the GDPR. However, the GDPR is agnostic in regards to what processor an organization uses for any given processing activity. The GDPR is only concerned that a lawful basis and proper controls have been established. Thus, using Clozd for win-loss invitation emails is legally equivalent to using your email marketing system, but offers more purpose-built functionality to support the niche use case.

As a processor, does Clozd do anything proactive to support its clients with GDPR compliance?

Yes, Clozd proactively supports clients with their GDPR-compliance efforts in various ways.

First, Clozd helps clients implement a Data Processing Agreement (with Standard Contractual Clauses) as part of our contract process to ensure the legal relationship between controller and processor is properly established, with Clozd bearing contractual responsibility to safeguard personal data and process it legally.

Second, the Clozd Platform is built in a way that supports essential data processing controls such as data rectification, erasure, and opt out management.

Third, Clozd is audited annually for ISO 27001 and SOC 2 Type II compliance, ensuring that personal data is safeguarded in accordance with industry best practices. As a result, Clients can legally and confidently rely on Clozd to process personal data on their behalf.