Whilst many in the organisational universe will be familiar with the six lawful reasons under which they can process data under the GDPR, some are less straightforward than others.
The six lawful reasons for processing data are as follows:
- Consent
- Contract
- Legal Obligation
- Vital Interests
- Public Task
- Legitimate Interests
Reasons 2 through 5 are fairly straightforward in terms of justifying the processing of personal data.
Contractual requirements are – as the word suggests – around processing data in relation to the requirements under a contract whether that be an employment contract or vendor contract. Legal obligations, processing required by the law and determined in statute; vital interests I would always apply in circumstances applying to health and social care and; processing required in the public interest for instance in education, policing etc (mainly applied to public services).
“We think with every action we take we require explicit consent -WRONG!”
Parking consent for this article, that leaves us with processing data for a legitimate reason, one of my personal favourites. Legitimate interest provides the greatest flexibility to any organisation in respect of processing data. We have all become almost transfixed by the idea that with every action we take we require explicit consent.
WRONG!
It’s hard to get explicit consent and maintain it and more importantly prove (make it auditable) it when necessary.
This brings us nicely to the use of legitimate interest in processing data.
Recital 47 of the GDPR advises that legitimate interest is the most flexible lawful basis for processing. However, it is necessary to use people’s data only “in the ways that they would reasonably expect you to use [it], and which have a minimal privacy impact, or where there is a compelling justification for processing.”(ICO)
That means you can only use legitimate interests if the data subject can reasonably know what you are going to do with it at the time of providing the data itself. The idea and notion of being transparent but certainly less onerous than requiring specific consent and certainly a lot easier to document as evidence of lawful processing. It’s about a balancing act between what your business requirements and the privacy interests of those persons whose data you are processing and their reasonable expectations as to how that business should process their data.
Let’s look at an example to highlight the point. You buy a ticket for the cinema in January 2020. You might reasonably expect to receive promotional material for that given year in the by email and then expect your name to be taken off the mailing list. You would reasonably expect that marketing to be limited to screenings at the cinema. However, if the company went on to sell your details to a third party and you then start receiving effectively unsolicited marketing messages about buying a new kitchen or holidays in the Algarve that’s not something you would expect and would breach the processing requirements around legitimate interest.
Now that you’ve established legitimate interest, how do you use it?
You’ll need to identify the particular legitimate interest and ensure that you can show that the processing is necessary to achieve it; at the same time you need to evidence that you can balance it against the individual’s interests, rights and freedoms. The ICO breaks it down into the three tests:
- Purpose test: are you pursuing a legitimate interest?
- Necessity test: is the processing necessary for that purpose?
- Balancing test: do the individual’s interests override the legitimate interest?
How do you do this?
Perform a Legitimate Interest Assessment (LIA) which needs to be applied as a template to every form of data processing you do (not dissimilar to a DPIA but with a different outcome).
