The pros and cons of relying on legitimate interest in GDPR
Last week, the Information Commissioner’s Office (ICO) published guidance on the use of legitimate interest as a lawful basis for data processing.
In its guidance, the ICO states that if you are using data ‘in a way that people would reasonably expect and that has a minimal privacy impact’ you may be able to rely on legitimate interest.
We look at the pros and cons of choosing legitimate interest as opposed to any of the other five lawful bases.
Pros of relying on legitimate interest
Legitimate interest is the most flexible out of the six lawful bases for data processing because it’s not purpose specific. The ICO says that it may be reasonably used as a basis for processing employee or client data, direct marketing (under certain circumstances) or administrative transfers within a group of companies.
Legitimate interest gives you, as the data controller, greater control over the data you hold than consent does - an individual can withdraw consent at any time. At the same time, it doesn’t necessarily override an individual’s right to object.
Covers a range of interests
Legitimate interest can be applied to a company’s own commercial interests, to those of a third party or even society as a whole.
Re-consent may not be necessary
If you previously relied on consent to processing under the Data Protection Act 1998 you don’t necessarily have to continue to rely on consent under the new General Data Protection Regulation (GDPR). You may be able to use legitimate interest rather than seeking new GDPR compliant consent (that might not be given).
But wait…there are also cons
Need to be specific
You still need to be specific about your purpose for processing an individual’s data and have a clear outcome or benefit in mind (which is clearly communicated to individuals in your privacy notice).
The emphasis is on you to protect individual rights and interests (rather than on that individual). You must be prepared to take on that additional responsibility and be confident that you have the procedures and systems in place to be able to do so.
Harder to demonstrate compliance
It is harder to demonstrate compliance with GDPR when relying on legitimate interest than it is with more purpose specific lawful bases.
Individual interests first
If there is a mismatch of interests between you and the individual, it is most likely that the individual’s interests will come first.
Proof of necessity to process
You need to be able to demonstrate that the processing is necessary for the legitimate interest and that there isn’t a less invasive way to meet that legitimate interest.
…And also ‘no go’ areas
There are a number of areas where legitimate interest should not be used as a lawful basis for data processing. These include:
Special Category data
You need to use an additional justification (or clear and explicit consent) to process very sensitive personal information such as race and ethnicity, sexuality, health and beliefs.
Children’s personal data
Although GDPR doesn’t prohibit the use of legitimate interest in relation to children’s personal data, it does require additional safeguards and puts a far greater onus on the data processor to justify the impact on the child.
Consent required by other marketing law
GDPR sits alongside wider marketing legislation including the Privacy and Electronic Communications Regulation (PECR). If consent is required under PECR or any other marketing law then it is not possible to rely on legitimate interest for marketing purposes under GDPR.
And don’t forget the three part test
The ICO is clear that anyone relying on legitimate interest must ensure they pass the ‘three-part test’:
Purpose test – Is there genuinely a legitimate interest for the processing?
Necessity test – Is the processing necessary to achieve that purpose?
Balancing test – Is that legitimate interest overridden by the individual’s interests, rights or freedoms?
So whilst legitimate interest can seem to be the easy way out, there really is no easy option with GDPR. The key things to consider are the fundamental principles of accountability and transparency enshrined in GDPR and the need for processing to be fair.
For further information on legitimate interest, read the ICO guidance here .
Protect your business - become and remain GDPR compliant with Astrid