Are you using Legitimate Interest as a means to justify processing individuals’ Personal Data?
According to the GDPR, Legitimate Interests may be the most flexible legal basis for processing personal data. However, it would be unwise to assume it will be appropriate in every case.
It is probably most appropriate where you use people’s data in ways they would reasonably expect, and would have minimal impact on privacy. Also when there is a compelling justification for the processing. But remember, you will be taking on additional responsibility for protecting people’s rights and interests under GDPR.
Legitimate Interests should not be used in cases where processing:
- does not comply with legal, ethical or industry standards
- when there is no clear purpose for processing
- if there is a risk of significant harm, or;
- another lawful basis, which is more obvious
Legitimate Interest – key elements
First of all, to rely on Legitimate Interests for processing, you need to:
- identify a Legitimate Interest;
- show that the processing is necessary to achieve it; and
- balance it against the individual’s interests, rights and freedoms.
The Legitimate Interests you identify can be:
- your own interests;
- the interests of a third party;
- commercial interests;
- individual interests; or
- broader societal benefits.
Moreover, the processing of personal data must be absolutely necessary. Legitimate Interest will not apply if you can reasonably achieve the same result in another less intrusive way.
So, you must balance your interests against the individual’s best interests and legal rights. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests will likely override your legitimate interests.
It is vitally important to keep a record of your Legitimate Interest Assessment (LIA). This will help you to demonstrate compliance, if required to do so. You must also include full details of your LI in your privacy information.
The Information Commissioner’s Office has published the following helpful checklist:
- checked that Legitimate Interests is the most appropriate basis.
- understood our responsibility to protect the individual’s interests.
- conducted a legitimate interests assessment (LIA) and kept a record of it, to ensure that we can justify our decision.
- identified the relevant legitimate interests.
- checked that the processing is necessary and there is no less intrusive way to achieve the same result.
- done a balancing test, and are confident that the individual’s interests do not override those Legitimate Interests.
- only used individuals’ data in ways they would reasonably expect, unless we have a very good reason.
- not used people’s data in ways they would find intrusive or which could cause them harm, unless we have a very good reason.
- ensured that if we process children’s data, we take extra care to make sure we protect their interests.
- considered safeguards to reduce the impact where possible.
- considered whether we can offer an opt out.
- If our LIA identifies a significant privacy impact, we have considered whether we also need to conduct a DPIA.
- ensured that we keep our LIA under review, and repeat it if circumstances change.
- included information about our legitimate interests in our privacy information.
Sources and credits: Information Commissioner’s Office