ICO draft guidance: legitimate interests as a lawful basis for processing
The GDPR significantly alters the balance of obligations, responsibilities and liabilities for controllers and processors of data. It mandates that a processor must have a lawful basis for the processing of data. However There are some impactful changes, particularly when looking to rely on legitimate interests as the lawful basis upon which a processor intends to process data.
The GDPR also brings in new accountability and transparency requirements, meaning that processors must be able to show that they have a lawful basis for each processing operation, and must inform individuals which lawful basis if being relied upon. Furthermore, under GDPR the interpretation of legitimate interests is now broader, encompassing the interests of any third party, including wider societal benefits.
Legitimate interests is the most flexible lawful basis for processing. However, when choosing to rely on this basis it is important to be aware of the extra responsibilities in considering and protecting people’s rights and interests. A legitimate interest can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal interests.
The Information Commissioner’s Office (ICO) has issued draft guidance to assist organisations in identifying if a legitimate interest is the most appropriate basis, and if so how to ensure compliance with the terms of the GDPR. The ICO confirms its interpretation of the GDPR and provides a general recommended approach to ensure compliance.
Legitimate interests is likely to be the most appropriate basis where you use data in ways that people would reasonably expect and that have a minimal privacy impact. Legitimate interests should be avoided in situations where personal data is being used in a way that data subjects would not understand or reasonably expect.
The ICO outlines that, as per the GDPR, when relying on legitimate interests as a lawful basis for processing, a processor must be able to:
- identify a legitimate interest (Purpose);
- show that the processing is necessary in order to achieve it (Necessity); and
- balance it against the individual interests, rights and freedoms of the data subjects (Balance).
The ICO recommends that if you want to rely on legitimate interests in practice, then a three-part test should be undertaken to establish whether or not this is the most practical and applicable basis; the ICO refers to this as a Legitimate Interests Assessment (LIA). This is a light touch risk assessment based on the context and circumstances of the processing of data. In addition to this, recording the LIA will also help to ensure compliance with accountability obligations under Articles 5(2) and 24.
The test outlines firstly that you identify a purpose for the processing (i.e. what is the legitimate interest). Things to consider include the reason for the processing, such as:
- what is trying to be achieved?
- who benefits?
- what would the impact be if the processing did not go ahead?
Secondly, apply the necessity test. Things to consider here include:
- whether or not the processing actually helps to further the interest?
- is it reasonable?
- is there a less intrusive way to achieve the same result?
Thirdly, you must balance the necessity of processing the data against the impact of the processing on the data subjects. The following should be considered:
- the nature of the relationship with the data subject
- is the data particularly sensitive?
- would it be expected for the data to be used in this way?
- what’s the possible impact?
- would a data subject object or find the processing too intrusive?
The ICO further outlines that legitimate interests can be relied upon across a variety of situations, including processing employee or client data, intra-group transfers, marketing activities, B2B contacts, processing of children’s personal data (although special care should be taken here) and the disclosure of data to third parties.
Why is this important?
Although legitimate interests is not a new concept under the GDPR, the new requirements for processors are key to using this basis as the lawful basis for processing. Accountability and transparency requirements mean that processors need to be more pro-active when it comes to recording the reliance on legitimate interests as a lawful basis for processing.
Any practical tips?