This article belongs in a three article series about Solving GDPR with Risk Analysis. We have written it based on our consulting experience with our clients and guidance from Information Commissioner’s Office as a core source.
The first article you can find here: The Loving Relationship Between Risk Analysis & GDPR.
So, what is the legitimate interest?
It is one of the 6 lawful bases for processing personal data and especially relevant for marketing communication and data analysis. Even though consents are a fool-proof base for data processing certain circumstances doesn’t require it such as direct marketing.
GDPR describes legitimate interest in the following way:
“Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
Although this description is as specific as it gets, the essence which lies within are 3 main points that need to be assessed each time you want to use legitimate interest:
- Purpose of your data processing, is it appropriate and relevant?
- Necessity of processing the specified data for that purpose
- Balancing the rights of individuals and justifying the impacts on them
The legitimate interest assessment (LIA), will help you to analyze these aspects and demonstrate compliance.
It is important to note that at the end there is no scoring or a single right or wrong answer. The topic of legitimate interest will often come down to your decision of how much risk you are willing to take.
Two different people may decide differently in the same situation and it can still be alright.
Why use legitimate interest?
Using this basis for processing that is generally expected and has a low privacy impact may help you avoid bombarding people with unnecessary consent requests and can help avoid ‘consent fatigue’.
The drawback is that compared to other lawful bases, there is more work for you to justify the application of legitimate interest. You need to justify the purpose and demonstrate it is balanced with the interests of the individual. There is more space for disagreement and it is your responsibility to demonstrate compliance.
When can you actually apply legitimate interest?
Legitimate interest may be the most appropriate basis when:
- The processing is not required by law but is of a clear benefit to you or others;
- There’s a limited privacy impact on the individual;
- The individual should expect you to use their data in such a way;
- And you cannot, or do not want to, give the individual full upfront control (i.e. consent) or bother them with disruptive consent requests when they are unlikely to object to the processing.
Recitals 47 and 48 also explicitly state that the following activities may indicate a legitimate interest:
- Processing employee or client data
- Direct marketing
- Administrative transfers within a group of companies
However, this does not mean that a legitimate interest can apply in any case of direct marketing. It still has to be in compliance with e-privacy laws and other legal and industry standards. It is important to note that the Privacy and Electronic Communications Regulations (PECR) requires a GDPR-compliant consent for some forms of electronic marketing.
In case of e-privacy laws requiring an individual’s consent, then processing personal data for direct marketing purposes is an unlawful use without obtaining consent.
Don’t forget that if you already have a GDPR-compliant consent from the subject, then you fulfilled one of the 6 lawful bases and there is no need to pursue legitimate interest.
How to apply legitimate interest in practice?
Before using legitimate interest, you should conduct the LIA. It will help you to assess whether you are eligible to use legitimate interest as your chosen lawful basis. It is also extremely important for demonstrating your compliance at any point, should any disagreements emerge. It is therefore recommended to document and keep track of all steps, decisions made and factors taken into account.
LIA is a type of light-touch risk assessment analysing aforementioned aspects of legitimate interest in 3 steps.
Firstly, identify the legitimate interest and ask yourselves the following questions:
- What is your goal for processing the data?
- Who else benefits from the processing and in what way?
- What would the impact be if you wouldn’t be able to process the data?
- Would your use of the data be unethical or unlawful in any way?
Bear in mind that you must have clear and specific benefits when using legitimate interest, you cannot rely on some generic business interests. Processing data to have them available “just in case” is considered a breach.
Only after you answered the questions posed in the first step and determined your purpose for processing is legitimate, you can then do the necessity test and ask:
- Does this processing actually impact the legitimate interest?
- Is it a reasonable way of doing it?
- Is there any other less intrusive way to achieve the same result?
The processing doesn’t have to be absolutely essential, but it must be a targeted and proportionate way of achieving your purpose. If you can achieve your purpose in a less invasive way, then the more invasive way is not necessary.
The last step is the balancing test. This is where you take into account “the interests or fundamental rights and freedoms of the data subject which require the protection of personal data” and check that they don’t override your interests. Ask yourself these questions:
- Is the processed data in nature sensitive or private?
- Would people expect you to use their data in this way?
- What is the impact on the individual?
- How impactful might it be?
- Are you processing children’s data?
- Can you adopt any safeguards to minimize the impact?
- Can you offer an opt-out?
Interests of the individual, could in particular, override your legitimate interests if you intend to process personal data in ways that the individual does not reasonably expect. This is because if processing is unexpected, individuals lose control over the use of their data, and may not be in an informed position to exercise their rights. There is a clear link here to your transparency obligations.
The following aspects affect whether an individual can reasonably expect processing:
- What I include in my privacy information and how I present it?
- What is the nature of the relationship with the individual?
- When did you collect the data?
- What was the source of the data?
- Are you using a new technology or processing data in a new way that individuals may not anticipate?
Do not forget that you must take special precautions for children. In practice, this means that your reasons for processing must have a stronger weight than normally.
After you have considered and documented all these steps, you can make a decision to use or not use the legitimate interest for your processing. This is not a mathematical exercise, but you should aim to be as objective as possible when deciding your outcomes. Remember that this list might not be exhaustive and you always need to think about your specific situation. Often there is no right or wrong answer and the decision is down to how much risk you are willing to take.
After you have made the decision
After coming to the conclusion of using legitimate interest as your lawful basis, there are a few steps that you need to take to ensure compliance.
- Tell people that you are using legitimate interest for processing their data. Explain what your purpose for processing personal data is, legitimate interest, and all your reasons in your privacy section.
- Inform individuals of their right to object to processing based on legitimate interest. Remember that they have an absolute right to object, especially with direct marketing.
- Include easy opt-out. Given that individuals have the absolute right to object to direct marketing, it is required to give individuals a clear option to opt-out of direct marketing when you initially collect their details.