The General Data Protection Regulation comes into force in May
The Information Commissioner’s Office has published new guidance to give clarity on the issue of legitimate interest under the GDPR.
The General Data Protection Regulation comes into force on 25 May this year and introduces tighter controls on the collection, use and protection of personal data. Under GDPR there are stricter requirements on accountability and transparency and this extends to the grounds of using legitimate interests.
The new guidance is designed to clarify when legitimate interests can be relied upon as the basis for processing personal data and when to look at alternatives. It explains when using legitimate interests as a lawful basis is appropriate, what it means and how to decide whether it applies to your particular processing operation.
Legitimate interests is one of the six lawful bases for processing personal data and the guide says: “You must have a lawful basis in order to process personal data in line with the ‘lawfulness, fairness and transparency’ principle.”
It quotes article 6(1)(f):
“1.Processing shall be lawful only if and to the extent that at least one of the following applies:
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
The guide explains: “Because it could apply in a wide range of circumstances, it puts the onus on you to balance your legitimate interests and the necessity of processing the personal data against the interests, rights and freedoms of the individual taking into account the particular circumstances. This is different to the other lawful bases, which presume that your interests and those of the individual are balanced.”
The guide lays out a three-stage test that organisations can use to help them decide whether legitimate interest is appropriate:
• a legitimate interest;
• a necessity test;
• a balance with individuals’ interests, rights and freedoms.
Daniel Fluskey, head of policy and external affairs at the Institute of Fundraising, says in a blog about the guidance: “Legitimate interest is [the] most ‘flexible’ basis for processing, but comes with added duties.
“That means it can be used in a number of different ways and for different purposes, it’s contextual and non-prescriptive. But, at the same time, as Uncle Ben said to Spider-Man – “with great power comes great responsibility”. Organisations have discretion on using legitimate interest, but you cannot assume it will always be appropriate, and if you want to use that flexibility you also take on extra responsibility for ensuring people’s rights are protected.”
Fluskey also points out: “the new accountability principle of GDPR is key to legitimate interest.
“The ICO describes the biggest change for legitimate interest being the need to document decisions and demonstrate compliance. Yes, this means paperwork. It means having templates, policies, procedures and reviewing these. But that extra work is worth it and needed – the guidance provides helpful directions on how to carry out a legitimate interests assessment and questions to consider which will help.”
Read more on the GDPR here.