Further Information Regarding Legitimate Interests
Of the six lawful basis specified under GDPR, ‘legitimate interests’ is the most flexible. However, there are some strict guidelines around its use.
Data can be processed in the legitimate interests of the data controller (or a third party) and that can include the personal or business interests of yourself or a third party. The key exception is where such interests are overridden by the interests or fundamental rights and freedoms of the data subject – especially if that subject is a child.
The process of direct marketing is detailed as a potential use of legitimate interest, but this shouldn’t mean it is taken as a free pass to do whatever you want. Processing under this basis places additional responsibility on the organisation to consider and protect each individual’s rights and interests. Data processing must be proportionate, targeted, have the smallest possible impact on the individual and not require consent under the Privacy and Electronic Communications Regulations (PECR) which focuses on additional protection for consumers.
Here is a basic checklist of the type of questions that need to be considered:
- Have you identified a legitimate interest?
- What are you trying to achieve? Is this method necessary to get these results, or are there less intrusive methods available?
- What is the benefit of the data processing and what would be the impact if it didn’t go ahead?
- Are the data subjects’ rights being balanced correctly against your own?
- Is the data you are looking to process sensitive or private? Are you processing the data of children or vulnerable individuals?
- Have you included suitable safeguards to ensure the data is protected? (if not, what can you put in place to minimise impact and risk?)
In a nutshell, legitimate interest only applies if the processing you wish to carry out is deemed necessary. By this meaning it is proportionate, targeted and that the same result couldn’t be achieved through any other, less intrusive means.
What is a Legitimate Interest Assessment?
If you decide to use legitimate interest as a lawful basis, then a Legitimate Interest Assessment (LIA) must be completed in all cases. A LIA is basically a risk assessment that aims to ensure you’ve gone through a comprehensive decision-making process and have balanced your own interests against those of the data subject. There isn’t a standard format that you must follow, however you must clearly show that you have considered everything and can justify the outcome reached.
Your LIA must be constantly reviewed and updated whenever there are any significant changes in the nature, purpose or context of the processing you are undertaking, to ensure your new purpose still complies. If there is a conflict, it is still possible for your interests to prevail, as long as there is clear justification.
Remember to keep a record of all LIAs you complete, as you’ll need to demonstrate compliance and to prove that you have fully weighed up personal interests and potential effects. This will be vital evidence, especially if a data subject is to complain or raise a query.
Resources from this section:
What can Lead Forensics do for your business?
Imagine if you could take control of your lead generation activity and convert sales-ready prospects, before your competitors even get close? Lead Forensics is the software that reveals the identity of your anonymous website visitors, and turns them into actionable sales-ready leads. In real-time.
Lead Forensics can:
- Tell you who is visiting your website
- Provide highly valuable contact information including telephone numbers and email addresses
- Give insight into what each visitor has looked at, as well as where they came from.
Take a look for yourself with a free, no obligation trial – you can get started today!