Legitimate interests: is it legit?
5-point legitimate interests checklist
“Legitimate interests is the most flexible lawful basis for processing,
but you cannot assume it will always be the most appropriate.”
UK Information Commissioner’s Office
Legitimate interests is used as a ‘go-to’ lawful basis for a host of business activities; analysis, administration, fraud prevention, network security, prospecting, marketing segmentation and personalisation… the list goes on.
But, just because we could do something with people’s personal data, doesn’t mean we should. The lack of another lawful basis as a ‘good fit’ doesn’t mean we should simply choose legitimate interests and decree it legit!
UK and EU GDPR require organisations to balance their own legitimate interests against the interests of the people whose data is used for a particular activity – and their rights and freedoms. Such business interests can be commercial ones, but they need to be balanced.
Legitimate interests checklist
Here’s a quick reminder of the elements to consider when relying on legitimate interests as your lawful basis.
1. Reasonable expectations
Are you handling people’s personal data in a way they would reasonably expect? If not do you have a very strong justification?
Judging reasonable expectations is objective. Legitimate interests is more likely to apply where you have a relevant and appropriate relationship with the people whose data you’re using. For example, they’re employees, clients or existing customers. Other factors which play a part in this are how long ago you collected the data, where you sourced the data from and whether you’re using new technology or using data in a way people might not have expected.
Have you conducted a Legitimate Interests Assessment (LIA)? This 3-part assessment should cover:
- Identifying a legitimate interest
- Demonstrating the processing is necessary for your organisation to achieve your objectives
- Balancing your interests against individual interests, rights and freedoms
Where a case for relying on legitimate interests is clear cut, this needn’t be a complex assessment, but alarm bells should start ringing if what you’re planning to do…
- isn’t really necessary
- could be achieved in another less intrusive way
- would be unexpected or unreasonable
- may cause harm or distress to those whose data is involved
- means people are unable to exercise their privacy rights
Are you open about what you’re doing? Have you fulfilled people’s right to be informed about how their personal data’s being used?
It’s a legal requirement to tell people what processing activities you rely on legitimate interests for. This should be explained in a privacy notice clearly brought to people’s attention. Typically a privacy notice would be on forms where you collect personal data, on your website footer and in the footer of your emails.
4. Right to object
Can you provide people with a clear opportunity to object? If not, can you justify not doing so? For example, you probably wouldn’t give people the opportunity to object to necessary fraud or security checks.
5. Risk assessment?
Does what you want to do involve children’s data? Does it involve special category data (such as health data or biometrics)? Monitoring people on a large-scale? Involve innovative solutions like AI?
For any higher risk activities, it’s likely you’ll need to conduct a Data Protection Impact Assessment in addition to an LIA.
Legitimate interests and marketing
Direct marketing may be a legitimate interest, to paraphrase GDPR Recital 47, but organisations businesses still need to balance their commercial interests, and make sure their marketing doesn’t infringe on the rights and freedoms of individuals.
Crucially, legitimate interests can only be used if consent is not a requirement under eprivacy rules, such as the UK’s Privacy Electronic and Communications Regulations (PECR).
Clearly, it’s difficult to argue direct marketing is in people’s interests, so the ICO recommends focusing on the following factors when conducting a legitimate interest assessment:
- Would people expect you to use their details for marketing?
- Would unwanted marketing messages cause a nuisance?
- Could the method and frequency of communications have a negative impact on more vulnerable people? In simple language, could you be accused of being overly pushy or aggressive?
Most importantly, everyone has an absolute right to object to direct marketing. The ICO says it’s more difficult to pass a balancing test if you do not give people a clear option to opt-out when you collect their details. Or, if the data wasn’t collected directly from them, in your first communication.
Ultimately to genuinely rely on legitimate interests for any purpose, we should be up front and honest about what we are doing, make sure it’s reasonable and give people the chance to say no. Unless we have a strong case for doing otherwise.