Legitimate interests

Legitimate interests is perhaps the most flexible lawful basis on which you may process personal data, and is likely to be the lawful basis that most marketing and sales teams will look to use in a B2B environment. With legitimate interests you may collect, process and store personal data, as long as you have considered and can prove that there is a legitimate interest (basically a good reason why). It is also important to show that you’ve balanced the use of ‘legitimate interests’ against the individual’s rights and freedoms. You must also include full details of your legitimate interests in your public-facing privacy policy.

The ICO specifically mentions direct marketing as an area in which it could be deemed necessary to leverage legitimate interests, it mentions
 that the processing must be in a targeted and proportionate way of achieving your purpose, and the organisation should also consider whether there is another reasonable and less intrusive way to achieve the same result.

The ICO recommends conducting and documenting three tests when looking to leverage Legitimate Interests:

  1. Purpose test: are you pursuing a legitimate interest?
  2. Necessity test: is the processing necessary for that purpose?
  3. Balancing test: do the individual’s interests override the legitimate interests?

(source: ICO’s Guide to General Data Protection Regulation)

Of the six lawful basis specified under GDPR, ‘legitimate interests’ is the most flexible. However, there are still some strict guidelines around its use.

GDPR Lawful basis

Data can be processed in the legitimate interests of the data controller (or a third party) and that can include the personal or business interests of yourself or a third party. The key exception is where such interests are overridden by the interests or fundamental rights and freedoms of the data subject – especially if that subject is a child.

The process of direct marketing is detailed as a potential use of legitimate interests under GDPR, but this shouldn’t mean it is taken as a free pass to do whatever you want. Processing under this basis places additional responsibility on the organisation to consider and protect each individual’s rights and interests. Data processing must be proportionate, targeted, have the smallest possible impact on the individual, and not require consent under the Privacy and Electronic Communications Regulations (PECR) which focuses on additional protection for consumers.

Here is a basic checklist of the type of questions that need to be considered:

  • Have you identified a legitimate interests?
  • What are you trying to achieve? Is this method necessary to get these results, or are there less intrusive methods available?
  • What is the benefit of the data processing and what would be the impact if it didn’t go ahead?
  • Are the data subjects’ rights being balanced correctly against your own?
  • Is the data you are looking to process sensitive or private? Are you processing the data of children or vulnerable individuals?
  • Have you included suitable safeguards to ensure the data is protected? If not, what can you put in place to minimize impact and risk?

In a nutshell, legitimate interests only applies if the processing you wish to carry out is deemed necessary. By this meaning it is proportionate, targeted and that the same result couldn’t be achieved through any other, less intrusive means.

What is a Legitimate Interests Assessment?

If you decide to use legitimate interests as a lawful basis, then a Legitimate Interests Assessment (LIA) must be completed in all cases. An LIA is basically a risk assessment that aims to ensure you’ve gone through a comprehensive decision-making process and have balanced your own interests against those of the data subject. There isn’t a standard format that you must follow, however, you must clearly show that you have considered everything and can justify the outcome reached.

Your LIA must be constantly reviewed and updated whenever there are any significant changes in the nature, purpose, or context of the processing you are undertaking, to ensure your new purpose still complies. If there is a conflict, it is still possible for your interests to prevail, as long as there is clear justification.

Remember to keep a record of all LIAs you complete, as you’ll need to demonstrate compliance and to prove that you have fully weighed up personal interests and potential effects. This will be vital evidence, especially if a data subject is to complain or raise a query.

Your privacy policy must also include full details of the legitimate interests you wish to use. This must be written in clear, unambiguous language and explain exactly what your interests are.


Source link