Find out the steps you need to take to utilise legitimate interest in your business.
Legitimate interest is one of the six lawful basis for holding data as decreed by GDPR.
It is also the most confusing.
The ICO says this about Legitimate Interest;
“It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.”
In essence, legitimate interest is used to show why we hold and use data that we don’t necessarily have explicit consent for or contractual purpose to do so.
The ICO describes legitimate interest as the most ‘flexible’ of the lawful reasons to hold data. As we have mentioned numerous times in our GDPR blogs, this does not mean that it can be used as a ‘get out of jail free’ card. To class a reason as legitimate interest you will need to show that you have tested the theory.
So, in reality, how do you do this?
You need to run a legitimate interest balance test. Here are some steps to help you, in line with the ICO advice:
1: Identify the legitimate interest(s).
- Why do I want to process the data – what am I trying to achieve?
- Who benefits from the processing? In what way?
- Are there any wider public benefits to the processing?
- How important are those benefits?
- What would the impact be if I couldn’t go ahead?
- Would the use of the data be unethical or unlawful?
2: Apply the necessity test.
- Does this processing actually help to further that interest?
- Is it a reasonable way to go about it?
- Is there another less intrusive way to achieve the same results?
3. Complete a balancing test.
- What is the nature of my relationship with the individual?
- Is any of the data particularly sensitive or private?
- Would people expect me to use their data in this way?
- Am I happy to explain it to them?
- Are some people likely to object or find it intrusive?
- What is the possible impact on the individual?
- How big an impact might it have on them?
- Am I processing children’s data?
- Are any of the individuals vulnerable in any other way?
- Can I adopt any safeguards to minimise the impact?
- Am I offering an opt out?
If you can show you have considered these questions and the impact is minimal, reasonable and restricted, then you will have a basis for legitimate interest.