The GDPR legislation coming into effect from 25 May 2018 is a comprehensive, but complex, piece of legislation that many organisations will struggle to get to grips with. It’s not enough to know you need to comply, you also need to know why, so, having discussed the issue of consent, we now turn to another key area of the legislation: legitimate interest.
Legitimate interest is one of six lawful grounds for processing personal data and the one that’s likely to interest marketers, or marketing departments within organisations, most.
The definition:
“Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third-party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
What does legitimate interest mean and how will it apply?
An essential part of the legitimate interest concept is:
- The balance between the interests of the controller and
- The rights and freedoms of the individual
It points out that in order to be compliant with GDPR, legitimate interest must be real and not vague, and looks at whether the data subject would or should expect processing to take place for the reason given.
For example, data processing as part of fraud prevention or a necessary security measure, might deliver a strong case for legitimate interest.
The subject’s knowledge is a key part of this basis, and individuals must be made aware of those interests and their right to object.
Subject’s right to erasure
The ‘right to erasure’ is not automatic, which is different to consent as a legal basis, where an individual can withdraw consent at any time and the controller is legally obliged to ensure no further processing occurs.
The right to erasure would apply, however, if the controller could not justify the legitimacy, the personal data is no longer required for the purpose it was originally collected, or where the processing is found to be unlawful.
The organisation will also need to be able to show they can handle data requests from an individual, which would involve accessing and reproducing and sharing all the data on that individual they hold.
What are legitimate interests?
The recitals that give examples of processing that could be necessary for legitimate interest include:
- Recital 47: processing for direct marketing purposes or preventing fraud. This recital also makes it clear that controllers should consider the expectations of data subjects when assessing whether their legitimate interests are outweighed by the interests of data subjects. The interests and fundamental rights of data subjects “could in particular override” that of the controller where data subjects “do not reasonably expect further processing”.
- Recital 48: transmission of personal data within a group of undertakings for internal administrative purposes, including client and employee data (note international transfer requirements will still apply.
- Recital 49: processing for the purposes of ensuring network and information security, including preventing unauthorised access to electronic communications networks and stopping damage to computer and electronic communication systems.
- Recital 50: reporting possible criminal acts or threats to public security to a competent authority.
How is legitimate interest tested?
If a data controller wishes to rely on legitimate interest, they will need to be able to demonstrate to a supervisory authority and/or an individual (if challenged), that it’s considered how necessary it is to process the personal data and prove it hasn’t overridden any of the individual’s rights.
To do this, a data controller must carry out an appropriate Legitimate Interest Assessment (LIA). Some LIAs will be straightforward, but controllers are always advised to maintain a written record that includes their reasoning and conclusion, so there can be no doubt about how legitimate interest was upheld.
These LIAs can be disclosed to other controllers if the personal data is ever sold or acquired by another party, and the lawful basis needs to be reconfirmed as part of the due diligence process.
3 Key Stages of a Legitimate Interest Assessment
- Identify a Legitimate Interest
The first stage is about identifying the purpose for processing the personal data and explaining why it’s important to you as a controller.
A Legitimate Interest can be elective or business critical; and even if the Controller’s interest is obvious and legitimate, the legal basis must be clearly articulated and communicated to the individual.
Marketing departments, for example, would argue that storing and processing the data of individuals would enable them to better understand their market, and therefore provide more accurate and relevant marketing to those individuals. However, this would then have to be weighed up against the right of the individual to not be targeted repeatedly with marketing messages they do not want.
Legitimate Interests can include those of the controller, a third party who has access to the personal data, or both. While you may only need to identify one legitimate interest, all relevant interests should be considered.
Your LIA would only cover your relevant processing and the disclosure of the personal data. A Third Party would have to conduct their own LIA for their own processing purposes.
- Carry out a Necessity Test
This looks at whether it’s necessary for the business to process the data they hold, and asks data controllers to consider whether there is another way to achieve their goal. The onus is on the controller to prove there is no other way. If there is, but the effort required is disproportionate, it will go in favour of the controller as necessary.
If it’s found that other suitable routes are possible, the test should be used to identify the least intrusive option.
One of the first steps towards reaching compliance is to take the approach of minimisation. This will involve an audit of what data the organisation holds, assessing what they really need, and safely and securely deleting what is surplus to requirements. Simply put, the less data you hold, the less work you have to do regarding compliance.
- Carry out a Balancing Test
A data controller can only rely on a genuine legitimate interest where the rights and freedoms of the individual have been evaluated and the interests don’t override the controller’s legitimate interest.
As you’d expect, the balancing test must always be conducted fairly, not give way to any bias, and always give due regard to the rights and freedoms of individuals.
There are several factors to consider when making decisions around an individual’s rights, including:
- The nature of the interests
- The impact of processing
- Any safeguards which are or could be put in place
How can a certified GDPR consultant help?
A consultant certified in GDPR can review and improve on existing procedures, simplify and automate business processes, and recommend practical builds to your IT infrastructure that will help keep you compliant, add value, and futureproof the business.
Accountability is one of the pillars of GDPR, so regardless of which of the six processing principles you run with, there’s a requirement to demonstrate it’s been well considered.
Perhaps even more significant is the legal requirement to keep individuals informed on exactly how you intend to use their data, the grounds on which you’re using it, and offering them every opportunity to object or withdraw consent. All of which will put data subjects at the heart of the process, but increase controller’s responsibilities considerably.
At pebble.it, we can help you do both.
Discover how you can take the first steps towards compliance with GDPR and how we can help by downloading our GDPR-readiness checklist:
- SHARE
- Tweet