The GDPR (General Data Protection Regulation) outlines six conditions under which organisations can process personal data.
Four of those conditions are relatively self-explanatory: contractual requirements, legal obligations, vital interests and tasks carried out in the public interest.
That leaves consent and legitimate interest that need to be unpacked.
This blog focuses on legitimate interest.
What is a legitimate interest?
Legitimate interest is the most flexible of the GDPR’s lawful bases for processing personal data.
Theoretically, it applies whenever an organisation uses personal data in a way that the data subject would expect. ‘Interests’ can refer to almost anything here, including an organisation or third party’s commercial interests, and wider societal benefits.
In general, the condition applies when:
- The processing isn’t required by law, but has a clear benefit;
- The processing carries little risk of infringing on data subjects’ privacy; and
- The data subject should reasonably expect their data to be used in that way.
This might make it seem like legitimate interests is the most appropriate lawful basis for all your data processing activities, but that’s not the case. Let’s find out why.
Legitimate interest and data subject rights
The flexibility of legitimate interests comes at a price: organisations that use it must thoroughly justify it in their documentation.
Unlike the other lawful bases, it’s not obvious how the condition applies. Unless you can substantiate your reasoning, data subjects can object to the processing and force you to remove their records.
They can do this via a DSAR (data subject access request), which gives them a full record of the data you hold on them and the purpose(s) for collecting it.
If they disagree with your justification for legitimate interest, the burden is on you to prove otherwise.
Given the risks associated with collecting data unlawfully under the GDPR – including the potential for a large fine – it’s risky to put your documentation up for scrutiny in this way.
Your best bet, then, is to erase the complainant’s data from your records.
If this happens once or twice, you shouldn’t necessarily be concerned. But if it becomes a pattern, it means your justification isn’t sound and that you may have collected data unlawfully.
Examples of when legitimate interest might apply
In its recitals, the GDPR highlights the following as specific types of processing considered legitimate interest:
- Fraud prevention
- Ensuring network and information security
- Indicating possible criminal acts or threats to public security
You can likely also rely on legitimate interest for:
- Direct marketing
- Processing employee or client data
- Administrative transfers within a group of companies
Let’s look at a specific example of a type of processing that is considered legitimate interest.
An organisation is looking into the way it stores job applicants’ personal details. It’s legally required to store this information for six months, in case a candidate lodges a discrimination case.
However, the organisation decides it wants to retain the data for longer than this, because it foresees scenarios where an applicant wasn’t right for the role being advertised, but they might be suitable for a future position.
In this case, the organisation is entitled to hold on to personal details under the legitimate interest condition.
The data subject gave the organisation their data, and the risk of it being misused is small. Plus, keeping it is beneficial for both the applicant and the organisation.
Is legitimate interest appropriate for marketing purposes?
One of the most common questions related to legitimate interest is whether it can be used for direct marketing.
This is one of the biggest reasons that organisations collect personal data. Many are eager to use it, because apart from consent – which has become much trickier to obtain and maintain under the GDPR – there are few options for storing personal data for marketing purposes.
As such, many businesses are pinning their hopes on legitimate interest. But are they justified? The answer, as with so many things related to the GDPR, is that it depends on the circumstances.
Recital 47 of the Regulation states that “direct marketing purposes may be regarded as carried out for legitimate interest” – but ‘may’ is the operative word.
If you’re confident that your marketing practices meet the criteria for legitimate interest outlined in this blog, you’re probably fine.
But if you want something more definitive, you can always carry out a legitimate interest purpose test, which we explain in the next section.
How to demonstrate legitimate interest
The key to whether processing counts as legitimate depends on the caveat outlined in Article 6 of the GDPR. That is to say, do the benefits that come with data collection outweigh the interests or fundamental rights and freedoms of the data subject?
How do you know when that’s the case? The ICO (Information Commissioner’s Office), the UK’s data protection authority, suggests using a three-part test.
1. Purpose test
The purpose test helps you decide whether the processing can be considered a legitimate interest.
The purpose test comprises the following questions:
- Why do you want to process the data? What are you trying to achieve?
- Who benefits from the processing? How do they benefit?
- Are there any wider public benefits to the processing?
- If so, how significant are those benefits?
- What would the impact be of not processing this information?
- Would your use of the data be unethical or unlawful in any way?
2. Necessity test
The necessity test helps you decide whether legitimate interest is the most appropriate lawful basis.
The necessity test comprises the following questions:
- Does this processing help further your interests?
- Is processing this information a reasonable way of securing those interests?
- Is there a less intrusive way to achieve the same result?
3. Balancing test
The balancing test helps you decide whether the data subject’s interests (rights and freedoms) override the legitimate interest.
The balancing test comprises the following questions:
- What is the nature of your relationship with the data subject?
- Is any of their personal data sensitive or private?
- Would people expect you to use their data in this way?
- Are you happy to explain it to them?
- Are some people likely to object or find it intrusive?
- What is the possible impact on the individual, and how big would it be?
- Can you adopt safeguards to minimise the impact?
- Are any of the individuals vulnerable in any way?
- Are you processing children’s data?
You don’t need to document your answers to each of these questions to justify legitimate interests, but it’s worth considering them all to make sure you haven’t overlooked anything.
Your documentation should summarise your thoughts, showing that you’ve considered your obligations to keep data subjects’ personal information safe.
DPO as a service
If you’re looking for help meeting your GDPR requirements, you should consider our DPO as a service.
The GDPR gives organisations the opportunity to outsource their DPO, and with our solution, it has never been simpler.
One of our data protection experts will perform all the necessary tasks remotely, working with you to understand your organisation and its compliance requirements.
The service, offered by our sister company GRCI Law, is also ideal for organisations that aren’t legally required to appoint a DPO but still want someone to provide expert advice.
The post What Is Legitimate Interest Under the GDPR? appeared first on IT Governance Blog.
