The General Data Protection Regulations (GDPR) will apply from 25 May 2018.
In my previous blogs I have outlined what process changes you need to consider and also looked at what is meant by getting consent. However, although there will be circumstances in which you need to look at getting consent, this is not the only way in which you can establish a ‘lawful basis’ for data collection and processing under GPDR.
The most useful and flexible basis is ‘legitimate interest’ and it is anticipated that this is the one that most businesses will use most of the time. This is likely to be appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing. It follows therefore that you are taking on responsibility for considering and protecting people’s rights and interests.
There are three elements to the legitimate interests basis. You need to:
· identify a legitimate interest;
· show that the processing is necessary to achieve it; and
· balance it against the individual’s interests, rights and freedoms.
So what are ‘legitimate interests? These can be your own interests or the interests of third parties, and can include commercial interests, individual interests or even the interests of society as a whole.
The processing must be necessary. This means that if it is possible and reasonable for you to achieve the same result in another less intrusive way, you can’t rely on the legitimate interests basis.
You also have to balance your interests against those of the individual data subject. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests.
You should keep a record of your legitimate interests assessment so that you can demonstrate compliance if you are challenged. You can probably build this into your data processing model. to help you demonstrate compliance if required.
Most importantly, if you intend to rely on this basis, your privacy notice to individuals must set out details of what your legitimate interests are.
As I mentioned in my previous blog on consent, you’ll always need to take special care if you are marketing to children and we currently await the outcome of the ICO consultation for more details.
If you want to rely on legitimate interests in order to lawfully disclose personal data to a third party, you need to consider why they want the information, whether they actually need it, and what they will do with it. Your obligation is to be able to demonstrate that the disclosure is justified.
Although it is expected that legitimate interests will be widely used as a lawful basis for data processing, please don’t use it as a catch-all and assume it will always achieve compliance. You should avoid using the legitimate interests basis if you are using personal data in ways people do not understand and would not reasonably expect, or if you think some people would object if you explained it to them, or of course if you think the processing could cause harm, unless you are confident there is nevertheless a compelling reason to go ahead which justifies the impact.
No real difficulty there then! Do let me know how you get on, but please also bear in mind that this is only an overview and you should consider expert assistance in devising your processes and procedures.