The regulation specifically recognises that the processing of data for “direct marketing purposes” can be considered as a legitimate interest.
Legitimate interest is one of the grounds, like consent, that an organisation can use in order to process data and satisfy the principle that data has been fairly and lawfully processed.
The act says that processing is lawful if “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
It’s worthy of note that “Direct Marketing” has not been defined – so consideration should be given to the precise nature of the marketing activity proposed to be covered by this grounds for processing.
It may, for example, mean that a simple mailing of similar goods and services to existing customers and prospects is completely legitimate without direct consent – but it certainly doesn’t include “Profiling” for marketing purposes which does require consent.