But Do You Really Have A Legitimate Interest?

Data protection expert Gillian Scribbins, of Muckle LLP, tackles a GDPR grey area for many businesses.

Too often in privacy notices and data protection policies we’re coming up against ‘we process your data on our legitimate interest’ without any further explanation. Read on for some gentle pointers on how to avoid this subtle pitfall.

A fundamental element of GDPR, and as it happens the data protection laws we’ve had in place since 1998, is that personal data must be processed lawfully. At face value it seems simple enough, and is not always given much deeper consideration. But establishing whether your processing is lawful is a critical step to being GDPR compliant, and it is often a connection data controllers are struggling to make.

SO HOW CAN PROCESSING BE LAWFUL?

Very simply, there are six reasons for processing data that are justified by law. These are the lawful, or legal, bases you should by now have seen repeated in every privacy policy worth its salt. To list them: performance of a contract; the data subject’s consent; a legal obligation; the data subject’s vital interests; a public task or the public interest; and, legitimate interests.

The ICO explains all of these six lawful bases in their guide to the GDPR, and mostly they’re exactly what they say on the tin. Yet one continues, almost half a year on from the dreaded enforcement date, to cause a stumbling block. Legitimate interests.

Contrary to popular belief, it’s not a catch all into which you can sweep all your data processing that doesn’t quite fall under one of the other bases. Stating there is a legitimate interest does not qualify as a legitimate interest. A legitimate interest might be commercial, charitable, it might be market research or social interest; it might be to promote or develop your business or your start up. Whatever it is, you need to have a genuine reason to be processing the data; you need to be able to explain what your interest is and why it’s legitimate.

DETERMINING LEGITIMATE INTEREST

This is the point we’re finding organisations come to again and again, in particular those who have opted for legitimate interests as a way to avoid the daunting task of going out to data subjects for consent. Particularly we see this with marketing campaigns; newsletters; existing customer databases; and the use of photographs on social media and other publically accessible platforms. In all these scenarios both consent and legitimate interests can work as your lawful basis; but if you don’t really have a business necessity; your lawful basis should be consent.

Because once you’ve determined you have a legitimate interest – the fun has just begun. To truly have a legitimate interest, you need to have carried out what the ICO are referring to as a legitimate interest assessment. They say: “Documenting your assessment of legitimate interests is particularly important in helping you to demonstrate compliance under the accountability principle.” So what does this involve? The assessment is a kind of risk assessment in which the data controller has to balance their aforementioned valid interest against the right to privacy, and the expectations of the data subject.

This needs to be a written and recorded document or rationale (for which there is no prescribed format); and it needs to conclude that the purpose for processing will not be unexpected to a data subject; will not infringe their privacy rights; and is the only way to achieve your purpose. If this isn’t the conclusion of your balance test – you don’t have a legitimate interest. And this needs to be repeated for each individual data processing activity you’re basing on your legitimate interests.