CALL US TODAY: +44(0)203 670 5540
Home // GDPR: RELYING ON LEGITIMATE INTERESTS TO PROCESS DATA

If you process personal data you must have a lawful basis to do so. Under GDPR there are six ways you can justify your processing.  One of these grounds is if you have a ‘legitimate interest’ in processing the data.  GDPR states that processing will be considered lawful if:

..it is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of Personal Data, in particular where the data subject is a child.

According to the Information Commission the legitimate interest ground for processing data is the most flexible of the six lawful bases. That’s because it does not relate to a specific purpose  (for example a public task or a legal obligation, two of the other bases for lawful processing). It therefore potentially gives controllers the ability to rely on it as a lawful basis in a wider variety of situations. However it is important to note that the legitimate interest basis for processing is not a catch-all ground. There are important exceptions to its use.

WHAT ABOUT CONSENT?

Consent is just one of the lawful bases for processing data. Legitimate interest is another. Here at Nath Solicitors in London we advise many of our clients that the legitimate interest ground is a useful way to ensure compliance with GDPR without seeking explicit consent. But it cannot be used in every scenario. You should always first consider the purpose of the processing you are carrying out and apply the most appropriate lawful basis for doing so. And there must always be a balancing of the interests of the company and the rights of the individual data subject. As a rule of thumb legitimate interest will be more likely to apply when either:

  • – The processing will have very little effect on the individual; or
  • – There is a an overriding justification for the processing

EXAMPLE OF LEGITIMATE INTERESTS USE: DIRECT MARKETING

It’s often taken for granted that companies engaged in direct marketing – whether targeting individuals or other businesses – must get consent. But under GDPR legitimate interests of the processor can be cited as the lawful basis for direct marketing. So long as what you are sending meets the legitimate interests assessment (or balancing test )it can be used as the lawful basis of your data processing for direct marketing purposes.

HOW DO I CARRY OUT A LEGITIMATE INTERESTS ASSESSMENT?

The ICO outlines what is involved in a Legitimate Interests Assessment (LIA) when seeking to rely on legitimate interest as a lawful ground for processing data. A processor should consider the following:

  • – Is there a legitimate interest?For example is processing necessary to prevent fraud or other crimes?
  • – Is the processing necessary? Is there another way to achieve the same result?
  • – Do the individual’s interests override the legitimate interest?If processing the data is likely to cause harm to an individual it will be difficult to justify processing under legitimate interest

It’s important to consider these issues if using legitimate interests as a ground to process data. Generally speaking use of highly sensitive data or use of data in a way that people would not ordinarily expect is less likely to be justifiable under this ground.

At Nath Solicitors we provide bespoke LIAs tailored to your circumstances. We keep these under regular review so that they remain fit for purpose as commercial circumstances change and the nature of data you capture fluctuates. For advice you can call one of our data protection solicitors on 0203 670 5540.

DOES IT MATTER WHICH GROUND WE USE FOR DATA PROCESSING?

The lawful basis you choose to rely on for processing information is not just an academic exercise. The rights of individuals and your own position can differ considerably depending on which processing ground you apply. For example, an individual will not automatically benefit from the so-called ‘right to be forgotten’ under Article 17 of GDPR when his or her data is processed on legitimate interest grounds. That’s not true when consent is used as a basis for processing. Similarly the right to data portability by an individual is limited when a controller uses legitimate interest to justify processing.

CONTACT US

At Nath Solicitors we offer comprehensive GDPR training and advice. Call us now on +44(0) 203 670 5540 or contact us online.

CALL US TODAY

I accept the privacy policy

Testimonials

Copyright. Nath Solicitors Limited. Registered in England and Wales. Company Number: 08724944. VAT number: 207490711. Office Located at: 35 Berkeley Square, London, W1J 5BF. Nath Solicitors Limited is authorised and regulated by the Solicitors Regulatory Authority. Registration number 608014. Also Located at 59 Alleyn Road, Dulwich, London SE21 8AD. Branch authorisation number 631697. Terms Of Use. Privacy Policy. Cookies Policy.