The GDPR (General Data Protection Regulation) outlines six conditions under which organisations can process personal data.
Contractual requirements, legal obligations, vital interests and tasks carried out in the public interest are all relatively self-explanatory, leaving consent and legitimate interest that need to be unpacked in more detail.
We’ve covered consent before, so our focus here will be on legitimate interest. We describe how it works, provide examples of where it applies and explain how you can demonstrate it.
What is a legitimate interest?
Legitimate interest is the most flexible of the GDPR’s lawful bases for processing personal data, theoretically applying whenever an organisation uses personal data in a way that the data subject would expect.
‘Interests’ can refer to almost anything here, including an organisation or third party’s commercial interests or wider societal benefits.
In general, the condition applies when:
- The processing isn’t required by law but there’s a clear benefit to it;
- There is little risk of the processing infringing on data subjects’ privacy; and
- The data subject should reasonably expect their data to be used in that way.
This might make it seem like legitimate interests is the most appropriate lawful basis for all your data processing activities, but that’s not the case. Let’s find out why.
Legitimate interest and data subject rights
The flexibility of legitimate interests comes at a price; organisations that use it must thoroughly justify it in their documentation.
Unlike the other lawful bases, it’s not obvious how the condition applies, and unless you can justify your reasoning, data subjects will be able to successfully object to the processing.
They can do this via a DSAR (data subject access request), which gives them a full record of the data you hold on them and the purpose for collecting it. If they disagree with your justification for legitimate interest, the burden is on you to prove otherwise.
Given the risks associated with collecting data unlawfully under the GDPR – including the potential for a substantial fine – it’s risky to put your documentation up for scrutiny in this way.
Your best bet, then, is to erase the complainant’s data from your records. If this happens once or twice, that’s not something to be especially concerned about, but if it becomes a pattern, it means your justification isn’t sound and that data may have been collected unlawfully.
Examples of when legitimate interest might apply
The GDPR highlights the following as specific types of processing that are considered legitimate interest:
- Fraud prevention
- Network and information security
- Indicating possible criminal acts or threats to public security
The Regulation also states that processing employee or client data, direct marketing and intra-group administrative transfers will probably be considered legitimate interest.
Let’s take a look at a specific example of a type of processing that is considered legitimate interest.
An organisation is looking into the way it stores job applicants’ personal details. It is legally required to store this information for six months, in case a candidate lodges a discrimination case.
However, the organisation decides it wants to retain the data for longer than this, because it foresees scenarios where an applicant wasn’t right for the role being advertised but they might be suitable for a future position.
In this case, the organisation is entitled to hold on to personal details under the legitimate interest condition. The data subject gave the organisation their data, there is little risk it being misused and keeping it is beneficial for both the applicant and the organisation.
Is legitimate interest appropriate for marketing purposes?
One of the most common questions related to legitimate interest is whether it can be used for marketing purposes.
Marketing is one of the biggest reasons that organisations collect personal data, and besides consent – which has got a lot trickier to obtain and maintain under the GDPR – there are few options for storing personal data for marketing purposes.
As such, many businesses are pinning their hopes on legitimate interest. But are they justified? The answer, as with so many things related to the GDPR, is that it depends on the circumstances.
Article 47 of the Regulation states that “direct marketing purposes may be regarded as carried out for legitimate interest” – but may is the operative word.
If you’re certain that your marketing practices meet the criteria for legitimate interest outlined in this blog, you’re probably fine. But if you want something more definitive than ‘probably fine’, you can always carry out a legitimate interest purpose test, which we explain in the next section.
How to demonstrate legitimate interest
The key to whether processing counts as legitimate depends on the caveat outlined in Article 6 of the GDPR – i.e. whether the benefits of that come with data collection are outweighed by the
interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
How do you know when that’s the case? The ICO (Information Commissioner’s Office), the UK’s data protection authority, suggests using a three-part test.
The first part is the purpose test, which helps you decide whether the processing can be considered a legitimate interest. It’s comprised of the following questions:
- Why do you want to process the data? What are you trying to achieve?
- Who benefits from the processing? In what way?
- Are there any wider public benefits to the processing?
- If so, how important are those benefits?
- What would the impact be if you couldn’t process this information?
- Would your use of the data be unethical or unlawful in any way?
The second part is the necessity test, which helps you decide whether legitimate interest is the most appropriate lawful basis. It’s comprised of the following questions:
- Does this processing help further your interests?
- Is processing this information a reasonable way of securing those interests?
- Is there a less intrusive way to achieve the same result?
The final part is the balancing test, which helps you decide whether the data subject’s interests override the legitimate interest. It’s comprised of the following questions:
- What is the nature of your relationship with the data subject?
- Is any of their personal data sensitive or private?
- Would people expect you to use their data in this way?
- Are you happy to explain it to them?
- Are some people likely to object or find it intrusive?
- What is the possible impact on the individual?
- How big an impact might it have on them?
- Are you processing children’s data?
- Are any of the individuals vulnerable in any way?
- Can you adopt safeguards to minimise the impact?
- Are any of the individuals vulnerable in any way?
You don’t need to document your answers to each of these questions to justify legitimate interests, but it’s worth considering them all to make sure there’s nothing you’ve overlooked.
Your documentation should then summarise your thoughts, showing that you’ve considered your obligations to keep data subjects’ personal information safe.
Want a GDPR refresher?
The GDPR remains a major concern for organisations, and it’s their responsibility to ensure that staff don’t get complacent now that the Regulation has been in effect for some time.
One way to do that is with our GDPR Challenge E-learning Game.
This interactive online training module reinforces employees’ GDPR knowledge in a quick, engaging way. It poses several data protection problems across a range of business scenarios, covering core compliance issues.
This game is suitable for any industry but uses key sectors such as hospitality, marketing, banking, international shipping and healthcare as the basis for its real-life compliance challenges.