GDPR And Legitimate Interests: Getting The Balance Right

We’ve discussed before how the consent of an individual is not always necessary for the lawful processing of data under GDPR. The last minute panic, demonstrated by the deluge of emails seeking consent immediately before GDPR’s introduction, was perhaps indicative of a widespread misconception that GDPR is all about consent. In fact it’s not. There are several other grounds on which to lawfully process data. And one of these is to show you have a legitimate interest to do so. For many of our clients this is a useful way to ensure compliance with GDPR without seeking explicit consent. But it involves a delicate balancing exercise – weighing up the interests of the company or processor against the rights and freedoms of the individual.

WHAT DOES GDPR SAY ABOUT LEGITIMATE INTEREST DATA PROCESSING?

Under Article 6 (1) (f) of the GDPR processing will be considered lawful if:

..it is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of Personal Data, in particular where the data subject is a child.

 The obligation on data controllers in Article 6 is not hugely different from their responsibilities prior to GDPR. But significantly GDPR attaches greater weight to the protection of data belonging to children. There is also a new requirement to keep a record of the basis of legitimate interest processing so that you can be accountable for any decisions you make if necessary.

WHAT IS A LEGITIMATE INTEREST ASSESSMENT?

The ICO website outlines the need to carry out a Legitimate Interest Assessment (LIA) when seeking to rely on legitimate interest as a lawful ground for processing data. It involves considering the following:

• Does a legitimate interest exist? Examples of what may be a legitimate interest include fraud prevention, IT security, use of employee data and disclosure of personal information to prevent crime
• Is the processing necessary? Even if there is a legitimate interest you must demonstrate that there is no other reasonable way to get the same result
• Do the individual’s interests override the legitimate interest? If for example use of the data is likely to cause harm to an individual it will be difficult to justify processing under legitimate interest

It’s important to consider these issues if using legitimate interests as a ground to process data. Generally speaking use of highly sensitive data or use of data in a way that people would not ordinarily expect is less likely to be justifiable under this ground. Big Data Law provides bespoke LIAs tailored to your circumstances. We keep these under regular review so that they remain fit for purpose as commercial circumstances change and the nature of data you capture fluctuates. For advice you can call one of our data protection solicitors on 0203 670 5540 or alternatively you can get in touch with us online.

DOES IT MATTER WHICH GROUND WE USE FOR DATA PROCESSING?

Carrying out risk assessments like the LIA may appear cumbersome. But the lawful ground you choose to rely on for processing information is not just an academic exercise. The rights of individuals and your own position can differ considerably depending on which processing ground you apply. For example, an individual will not automatically benefit from the so-called ‘right to be forgotten’ under Article 17 of GDPR when his or her data is processed on legitimate interest grounds. That’s not true when consent is used as a basis for processing. Similarly the right to data portability by an individual is limited when a controller uses legitimate interest to justify processing.

INFORMING INDIVIDUALS OF LEGITIMATE INTEREST PROCESSING

When using the legitimate interest ground you must let individuals know:

• How their data is being processed
• That it is being processed under the legitimate interest ground
• What the legitimate interest is
• That they can object

For many clients getting the message across to individuals about legitimate interests can prove problematic. We provide bespoke information templates that ensure you fully comply with the law while reassuring individuals that you have carried out an exhaustive assessment of any potential impact the processing will have on them.

We are happy to offer specialist legal advice on all aspects of GDPR. Call us on 0203 670 5540.