Understanding the GDPR ‘legitimate interest’ provision
The proliferation of technology – and as a result – heightened accessibility to personal data, has prompted the need for more responsible handling of subject data, hence the approval of the EU GDPR in April 2016.
The GDPR replaces the Data Protection Directive as an attempt to protect and empower all EU citizens with regards to their personal data and privacy. Its purpose is to give the control back to the individuals as to how their data is obtained, managed and processed.
A closer inspection of the legislation will uncover many caveats, and this is why the ‘legitimate interest’ provision was drawn up.
Despite having the last two years to prepare, businesses are still left unsure when it comes to this particular provision.
The ICO accepts the basis of ‘legitimate interest’ when: ‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child’.
However, legitimate interest has put some business owners under the false supposition that they do not have to ask permission to use personal data for direct marketing purposes. The purpose of legitimate interest is to give ‘necessary flexibility to controllers for situations where there is no undue impact on data subjects’. Before legitimate interest can be claimed, the data processor must carry out a Legitimate Interests Assessment (LIA).
A Legitimate Interests Assessment involves a ‘3-stage test’.
One, identify the legitimate interest. What is the purpose for the processing of this personal data and is it elective or business critical? The legitimate interest could be those of the controller or the subject of the data.
Secondly, the processor should carry out a ‘necessity test’. Is it necessary to process this data for the pursuit of commercial or business objectives? If there is no alternative way of achieving the identified interest, then the processor can claim legitimate interest.
But, the controller must finally satisfy the balancing test. The balancing test must always be conducted fairly – is the processing of the data within the reasonable expectations of the individual? This part of the test takes into account how the data is handled – which should always be justified and cause little negative impact on the individual. In other words, is the processing likely to add value, with minimal impact on the subject’s privacy?
Can legitimate interest save you from having to obtain consent, and where does this leave SMEs who hold employee data, direct marketing lists or customer data?
The following example is taken from our GDPR guide, which explores a frequently asked question from our members:
Example: You use Mailchimp to send weekly promotion and updates about your business, but you have an unsubscribe button in the footer of the email.
Analysis: If the recipients are B2B and they are existing customers or prospects, then you can continue post-GDPR – as long as there is a viable opportunity to unsubscribe. If the promotion is linked to the product line of service the customer received from you, you can also rely on legitimate interest to continue marketing to them. However, if they are B2C prospects, this will depend on how the data was obtained and what opt-ins were gained at the time of collection. If the consent satisfies the GDPR – in that it was positively, affirmatively and unambiguously given, and the processing of the data was clearly and transparently detailed to the subject, then consent will satisfy GDPR.
The GDPR explains this as ‘the processing of Personal Data for direct marketing purposes may be regarded as carried out for a legitimate interest.’ An organisation may wish to rely upon Legitimate Interests where consent is not viable or not preferred, and the ‘Balance of Interests’ condition can be met. However, organisations will still need to ensure they can establish necessity and balance their interests with the interests of those receiving the direct marketing communications
The trick is to think about this sensibly. If you attend a networking event and acquire a business card, is it reasonable for the subject to expect a “nice to meet you, here is our website if you’d like to know more’ follow up email? Yes. From this, you can direct them to the necessary platform to obtain consent for further communications.
Conversely, it would not be reasonable to add this subject to your Mailchimp list, and automatically sign them up to your weekly newsletter.
In most cases, it comes down to common sense.
If you are still unsure about how your organisation will comply, or if you expect to encounter some unique scenarios for which action is unclear, download this free GDPR guide which includes a comprehensive list of FAQs, and some advice from our member DAMM Solutions.