Legitimately interested in GDPR

The General Data Protection Regulation (GDPR) comes into effect on May 25th. Across the nation, businesses small and large are busy preparing for the impact of this new legislation. With it, businesses are having to learn a whole new host of vocabulary. Words like ‘pseudonymisation’ and ‘modalities’ are replacing polite, ‘isn’t the weather awful today?’ coffee-break chitchat.

One aspect of the GDPR that continues to crop up under a veil of ambiguity is that of ‘legitimate interest’. This blog aims to clarify what you need to know about legitimate interest and its role in GDPR, so that you can make those last-minute changes.

From 25th May, you must have a valid and lawful basis to process personal data. The GDPR offers six lawful grounds for the processing of data, one of which is legitimate interests. According to the legislation, data processing is necessary “for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject”. Don’t worry, we scratched our heads too. The key point is that legitimate interest gives you an alternative to obtaining consent.

Of all the new articles being enforced within the legislation, legitimate interests are the most flexible basis for processing data. It is most likely to be used in ways your data subjects would expect and which have a minimal privacy impact. It can also be used if there’s a convincing justification. For example, a legitimate interest exists when the data subject is a client of the data controller because there is a relevant relationship between subject and controller.

Direct marketing is accepted as a legitimate interest. This means that it’s acceptable to continue marketing to prospects provided they have been made aware of the option to opt-out at any point. All of this needs to be explained in plain English; you should state your legitimate interest in your privacy policy.

However, the Information Commissioner’s Office (ICO) warns that, when choosing to rely on legitimate interests, you “consequently take on extra responsibility for considering and protecting people’s rights and interests”. As such, if you think you can process data based on legitimate grounds, you should demonstrate that the processing is necessary to achieve it. In other words, the processing is essential because you can’t achieve the same result in another less intrusive way. 

Next steps

Now you know what legitimate interest means, what are your steps moving forward?

If you want to continue contacting your clients, you must make them aware of how you will process their data, that they have the option to opt-out or unsubscribe at any time, and that they now have a number of rights regarding data use and protection.

If you think you’ve identified a legitimate interest, ask yourself ‘would your client be alarmed if you told them about it?’ If you think they would, then go and get consent. If not, then prove that you need to process the data because there is no other way that’s less intrusive.

If you’re still not sure, the ICO has produced a three-pronged test to help you decide whether or not the legitimate basis will apply. We’ve summarised it below.

First, you need to assess whether there is a legitimate interest behind the processing:
• Why do you want to process the data?
• How will processing the data benefit you?
• What would the impact be if you couldn’t go ahead with the processing?

Second, assess whether the processing is necessary for the purpose you’ve identified:
• Will this processing really help you?
• Can you achieve the same purpose without it?
• Can you achieve the same purpose by processing it in a less intrusive way?

Third, consider the impact on individuals’ interests and rights to determine if this supersedes your legitimate interests:
• Is the data special category?
• Is the data considered to be ‘private’?
• Is the data about people in their personal or professional capacity?
• Are you processing children’s or vulnerable people’s data?

Once you have satisfied these criteria, you should also refer to The Privacy and Electronic Communications Regulations (PECR). These guidelines sit alongside the Data Protection Act and GDPR. Adhering to the recommendations in the PECR, you can be more confident that you are on the right side of the law with processing data on the basis of legitimate interest.

The bottom line is that legitimate interest gives you an alternative to gaining opt-in consent from your contacts but is not free reign to carry on marketing as you have been pre-GDPR. Ensure you apply and document the assessments for legitimate interest and stick to the PECR guidelines.