Under GDPR regulation, due to come into force on May 25 2018, there are six legal bases for processing data. Legitimate interests is one of these six bases. This article looks closer at this particular area.
According the General Data Protection Regulation (GDPR) “Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
But what are legitimate interests?
Bear in mind that the rules are much more stringent for public organisations and especially rigorous when applied to children.
It is possible to demonstrate legitimate interests by showing a commercial benefit, but the conditions must be right.
Maybe the golden rule is documentation. You need to show you have fully taken into account the various issues concerning legitimate interests.
Drilling down, there is a three part test to demonstrate legitimate interests:
- Purpose test in the processing of data. Consider and document the answer to such questions as: Why you want to process the data? Who benefits? Any wider public benefits, importance of benefits, the cost of not processing the data and whether your use of the data would be unlawful or unethical.
- Necessity test in processing data. Consider and document whether the processing of data really does help achieve that interest, whether there is an alternative less data intensive way of achieving the purpose and reasonableness – is the method you have chosen reasonable?
- Balancing test. This concerns being able to show that the individuals’ interests do not override legitimate interests. Consider the nature of your relationship with the individual, whether any data is either highly sensitive or private and whether people would expect data to be used in this way. Then consider whether you would happily explain the use of data, whether people are likely to object and any possible impact on the individual and the scale of this impact. Also pay particular attention to whether any data processed relates to children, or if any of the individuals are in any way vulnerable. Finally, consider safeguards that you can put in place and providing an opt out option.
The key here is to be able to show these issues were considered and that after doing so you could.
To find out more about GDPR check out the next GDPR Summit London