GDPR. Legitimate Interests and Consent.

legitimate interests and consent

In this blog, we’ll discuss the pros and cons of legitimate interests and consent. It can be tricky working out the lawful basis (or bases) with which the data processing activities of your organisation are best defined and justified. They will vary across different business areas and between – and even within – industries.  Legitimate interests and consent tend to be most relevant to the private and third sectors and have become the subject of much discussion among marketing and other data-centric professionals.

But first, a bit of context. The General Data Protection Regulation (GDPR) provides six lawful bases for processing, a couple of which are fairly straightforward to understand. For instance, legal obligation is an obvious lawful basis in some circumstances, such as processing accident information for a report to comply with Health & Safety regulations. Almost all professionals will have some experience with this lawful basis of processing. But what about legitimate interests and consent? These have very specific requirements under the GDPR, and it’s important to be familiar with them.

What are the Legal Bases?

The six lawful bases under the GDPR are as follows:

  • Consent:  the individual (data subject) has provided clear, positive consent for you to process their personal data for a specific purpose.
  • Contract:  the processing is necessary for a contract you have with the data subject, or because they have asked you to take specific steps before entering into a contract.
  • Legal obligation:  the processing is necessary for legal compliance (other than contractual obligations).
  • Vital interests:  the processing is necessary to protect someone’s life.
  • Public task:  the processing is necessary to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
  • Legitimate interests:  the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

These are not hierarchical.  You must select the single most appropriate legal basis for the activity and purpose for which you are conducting the processing. There are simple steps you can take to help you decide between legitimate interests and consent.

When and How do I Use Legitimate Interests?

Article 6 of the GDPR grants legitimate interests as a lawful basis if the processing is “necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

Legitimate interests is widely used for marketing and some areas of HR.

So how do we know if this is the case? Well there’s a three-step test, which has been approved by the Information Commissioners Office (ICO) summarised below.  This is known as a Legitimate Interests Assessment (LIA).

  1. Purpose test: are you pursuing a legitimate interest?
  2. Necessity test: is this processing necessary? Crucially, could this legitimate interest be pursued without the processing of personal data?
  3. Balancing test: do the individual’s rights override the organisation’s legitimate interests?

It’s important to have these LIAs established and documented prior to any processing. But if you think your organisation could use genuine legitimate interests, here are some benefits:

  • It is the most flexible lawful basis for processing. There are a wide range of legitimate interests, including commercial.
  • Going through an LIA is always useful: you may find ways of streamlining your data processing to what is strictly necessary and limiting your privacy impact.
  • You don’t need to be disruptive or pestering to a data subject with a consent request to which no one would reasonably object.
  • It can also be used for some routine internal processes such as HR.

When and How May I use Consent?

More and more people will be aware of the GDPR’s tightening of the consent definition, but here’s a quick recap: consent is a lawful basis for data processing if…

“The data subject has given consent to the processing of his or her personal data for one or more specific purposes.”

It is the specificity of the purpose for which a data subject’s information is being processed that’s important to remember. Consent must be informed, which means you must tell the individual what data you are collecting, the reason why, and what you will do with it.  Evidence of consent must be captured. And remember, data subjects may withdraw consent at any time they wish.

Some other benefits of using consent include:

  • It’s a very strong, unambiguous ground for processing. You asked, and they said yes. As long as you have evidence, it is difficult to argue with.
  • Consumers, in certain contexts, may trust you more for having asked, and may appreciate your concern for data protection rights.
  • It allows individuals to understand and engage with how their own data is being used, fostering a mutual respect for data rights.

If you have any questions about the legal basis for processing, including LIAs or Consent requirements, please contact us via email or call 01787 277742

Harry Smithson, 29th September 2019