Until I read that, I held the belief that GDPR was really pretty clear and easy to implement. But reading that, it seems to me that the ICO doesn't really have a clue how you're supposed to distinguish a legitimate interest from an illegitimate one.
Perhaps the "legitimate interest" base needs to be deleted. It looks like a deliberate loophole.
https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-re...
Until I read that, I held the belief that GDPR was really pretty clear and easy to implement. But reading that, it seems to me that the ICO doesn't really have a clue how you're supposed to distinguish a legitimate interest from an illegitimate one.
Perhaps the "legitimate interest" base needs to be deleted. It looks like a deliberate loophole.