The GDPR stipulates that data controllers and processors must process personal data lawfully. There are six lawful bases for processing data; Consent, contract, legal obligation, vital interest, public task and legitimate interest. Details of each are explained here but for the purpose of this blog I’m going to focus specifically on ‘Legitimate Interest’.
Legitimate Interest is the least clear cut of all the lawful bases and to the inexperienced eye, it can easily be mis-interpreted as a ‘catch all’ for any other data processing needs when in reality, it’s the most complex basis to apply because it requires you to assess and justify your reasoning.
Legitimate Interest Assessment
Let’s look at the basis;
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
If your legitimate interest is in the context of fraud prevention, network and information security or related to identifying possible criminal acts or threats to public security, your interest is on good grounds, because these interests are specifically noted as legitimate under GDPR.
If however you are justifying a commercial interest for your organisation or a third party (which is completely acceptable) or even if you believe the processing is in the interest of wider society, you will have more work to do to present your case for legitimacy.
Assuming you’re not a public authority (with some exceptions) and you have ruled out the other five lawful bases for processing, your next step is to carry out a Legitimate Interest Assessment (LIA). There are three parts to this, so it is often referred to as the Three Part Test.
1). Purpose Test: Assess if there is a legitimate interest behind the processing.
2). Necessity Test: Assess if the processing is necessary for the purpose you have identified.
3). Balancing Test: Consider the impact on individuals’ interests and rights and freedoms and assess whether this overrides your legitimate interests.
The Purpose Test
Think about why you want to process the data and what benefit you expect to get from it. Whether third parties or the broader public will benefit in any way. How important the perceived benefits are. Whether there would be a negative impact if you didn’t carry out the processing. Are you complying with any specific data protection rules that apply to your processing such as profiling requirements, or e-privacy legislation? Are you complying with other relevant laws, industry guidelines or codes of practice and does the processing raise any ethical issues?
The Necessity Test
Think about whether the processing will help you achieve your purpose, whether it’s proportionate, and whether you need the level of data your proposing to achieve the purpose. Perhaps there is another way to achieve the same purpose which doesn’t require the processing.
The Balancing Test
The balancing test is the heart of your LIA. For this exercise, you need to consider the impact on individuals’ interests and rights and freedoms of processing the data and assess whether this overrides your legitimate interests. You are balancing your interests with the data subject’s interests rights and freedoms.
The balancing test requires you to consider:
- The nature of the personal data: is it special category or criminal offence data, will data subjects consider it to be private and does is belong to children or vulnerable people? In these cases, you should probably also have a DPIA to refer to.
- Reasonable expectations: would the data subject reasonably expect you to process the data for the stated purpose? What would be the likely impact to the data subject of processing the data?
Things to consider which will have a bearing on reasonable expectations include; whether you have an existing relationship with the data subject, the nature of that relationship and how you have previously used the data. Whether you collected the data directly from the data subject or from a third party, in which case, are covered by the third-party arrangement? Whether the data is old or there have been changes in technology and context which would likely change the data subject’s expectations since you collected it.
- Likely impact: here you get to the crux of the balancing test because the level of likely impact will either tip the scale towards you or the data subject. Factors to consider are what are the possible impacts of the data processing on the subject, what is the severity of those impacts and what is the likelihood of them occurring? Whether the subject will lose control over the use of any of their personal data. What systems could you put in place to safeguard the data? And if you explained the purpose to the data subject do you think they would decline?
I often think that asking yourself whether you would consider it a Legitimate Interest if it was your data, is a good gauge. Some final useful pointers on this subject include:
- No one lawful basis is better than the other, what is important is that you select the correct one and are confident of your decision because you shouldn’t change lawful basis at a later stage.
- Importantly, document your legitimate interests and your LIA to help show accountability.