If you process personal data you must have a lawful basis to do so. Under GDPR there are six ways you can justify your processing. One of these grounds is if you have a ‘legitimate interest’ in processing the data. If you need assistance in this area, please contact our data protection solicitors London today on 0203 983 8278 or contact us online.
GDPR states that processing will be considered lawful if:
..it is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of Personal Data, in particular where the data subject is a child.
According to the Information Commission the legitimate interest ground for processing data is the most flexible of the six lawful bases. That’s because it does not relate to a specific purpose (for example a public task or a legal obligation, two of the other bases for lawful processing). It therefore potentially gives controllers the ability to rely on it as a lawful basis in a wider variety of situations. However it is important to note that the legitimate interest basis for processing is not a catch-all ground. There are important exceptions to its use.
Consent is just one of the lawful bases for processing data. Legitimate interest is another. Here at Nath Solicitors in London we advise many of our clients that the legitimate interest ground is a useful way to ensure compliance with GDPR without seeking explicit consent. But it cannot be used in every scenario. You should always first consider the purpose of the processing you are carrying out and apply the most appropriate lawful basis for doing so. And there must always be a balancing of the interests of the company and the rights of the individual data subject. As a rule of thumb legitimate interest will be more likely to apply when either:
It’s often taken for granted that companies engaged in direct marketing – whether targeting individuals or other businesses – must get consent. But under GDPR legitimate interests of the processor can be cited as the lawful basis for direct marketing. So long as what you are sending meets the legitimate interests assessment (or balancing test )it can be used as the lawful basis of your data processing for direct marketing purposes.
HOW DO I CARRY OUT A LEGITIMATE INTERESTS ASSESSMENT?
The ICO outlines what is involved in a Legitimate Interests Assessment (LIA) when seeking to rely on legitimate interest as a lawful ground for processing data. A processor should consider the following:
It’s important to consider these issues if using legitimate interests as a ground to process data. Generally speaking use of highly sensitive data or use of data in a way that people would not ordinarily expect is less likely to be justifiable under this ground.
At Nath Solicitors we provide bespoke LIAs tailored to your circumstances. We keep these under regular review so that they remain fit for purpose as commercial circumstances change and the nature of data you capture fluctuates. For advice you can call one of our data protection solicitors on 0203 983 8278.
The lawful basis you choose to rely on for processing information is not just an academic exercise. The rights of individuals and your own position can differ considerably depending on which processing ground you apply. For example, an individual will not automatically benefit from the so-called ‘right to be forgotten’ under Article 17 of GDPR when his or her data is processed on legitimate interest grounds. That’s not true when consent is used as a basis for processing. Similarly the right to data portability by an individual is limited when a controller uses legitimate interest to justify processing.
CONTACT US
At Nath Solicitors we offer comprehensive GDPR training and advice. Call us now on 0203 983 8278 or contact us online.