GDPR deep dive: Legitimate Interest
By Allen Mamo
While there is no shortage of general commentary about GDPR, we deep dive into the aspect of Legitimate Interest.
The GDPR requires all public and private bodies to determine the lawful basis for any processing of personal data that they do. This article will focus on the hot topic of legitimate interest as a lawful basis for processing personal data, which is arguably one of the most misinterpreted aspects of the GDPR.
To contextualise, the GDPR covers six lawful bases for processing personal information:
- Consent – individual gives their consent for processing their data;
- Contract – processing is necessary to perform or enter into a contract;
- Legal basis – processing is necessary to fulfil a legal obligation;
- Public task – public authorities/organisations in the scope of public duties and interest;
- Vital interest – processing is vital for matters of life and death; and
- Legitimate interest – processing has a weighed and balanced interest between the organisation and individual.
Of these six legal grounds for collecting, processing and transferring personal information, the first refers to explicit and specific consent, the second to performance of a contract (for example, for providing a service to customers) and the following three; legal basis, public task and vital interest, are used in more particular scenarios with little to no leeway. This leaves us with the sixth basis of legitimate interest, on which we will now go into more detail.
The essence of legitimate interest is that mutual interest for the storage, processing and transferring of personal data is held between the organisation (data controller or data processor) and the individuals (data subjects). More factors go into understanding what legitimate interest involves, which can make it more complicated. One excerpt from Article 6 of the regulations explains how:
“Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
However, Working Party 29 (EU data protection authorities charged with issuing European-wide guidance on the GDPR) has made it clear that merely declaring a legitimate interest does not entitle an organisation to use personal data. Thus, this leads us to the importance of undertaking an assessment and documentation of the process.
Legitimate Interests Assessment (LIA)
By choosing to place reliance on legitimate interests as the lawful basis for a chosen process, extra responsibility has to be taken to ensure that people’s rights and interests are being adequately considered and protected.
If challenged, one would need to defend the decision for choosing legitimate interests to the Supervisory Authority and/or the individual challenging the process. This would involve showing that full consideration has been taken to protect the rights of the individual in relation to the purpose and interest of processing the data. That is, your interests do not override the individual’s rights. This process together with the final decision should be documented. Should any changes be made to the interest or purpose of the data being collected, this process must be reviewed and once again recorded.
When considering such a basis for processing, three activities should be carried out to validate your choice, which together form what is known as the legitimate interests assessment (LIA). Conducting an LIA can help ensure that the privacy rights of individuals are given due consideration.
You should start by identifying a legitimate interest for processing the particular data in question – why do I want to process this data, and more importantly, who is benefitting from the processing? You need to determine whether there are any wider public benefits to the processing, and how important these benefits are.
The next step is to determine whether processing is actually “necessary” to carry out your commercial or business objectives. The common solution for determining whether this is the case is by asking yourself whether there is another way of achieving the identiﬁed interest. Should there be another reasonable and less intrusive way to achieve such interest, then that option must legally be pursued. For example, rather than disabling any downloads from the internet to reduce the risk of malware on the network, an organisation may install malware prevention and detection software on each computer.
As stated earlier, it needs to be shown that your interests are not overriding the individual’s rights. In essence, what this means is that you must balance your interests against the individual’s interests. For example, should the individual expect you to use their personal information in another fashion, or should the processing cause them unwarranted harm, their interests are likely to override yours and hence legitimate interests cannot be used.
Notice of processing
The GDPR requires you to take appropriate measures to provide information with regards to processing. This should be done in a concise, transparent, intelligible and easily accessible format, using clear and plain language. This is particularly important for any information that addresses children.
With this, you should inform the individuals that you are using their personal data on this lawful basis, explaining to them what the legitimate interests are, and also informing individuals of their right to object to processing. Information should be transparent, displayed in a manner that is explicit, clear and separate from other information.
In this article, we have closely examined processing on the basis of legitimate interests and the steps needed to be taken to ensure compliance with the GDPR. The importance of conducting an LIA should not be underestimated, as the assessment can greatly help in establishing and documenting legitimate interest as a lawful basis. Although this process is crucial, one would need to remain mindful of the overall process of becoming compliant with the GDPR as well as maintaining such compliance.
Allen Mamo is a Senior IT Risk Consultant at Deloitte Malta Risk Advisory. For more information, please visit www.deloitte.com/mt/gdpr