GDPR: How can I use legitimate interest?

GDPR–Legitimate Interests

Find out the steps you need to take to utilise legitimate interest in your business.

Legitimate interest is one of the six lawful basis for holding data as decreed by GDPR.

It is also the most confusing.

The ICO says this about Legitimate Interest;

“It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.”

In essence, legitimate interest is used to show why we hold and use data that we don’t necessarily have explicit consent for or contractual purpose to do so.

The ICO describes legitimate interest as the most ‘flexible’ of the lawful reasons to hold data. As we have mentioned numerous times in our GDPR blogs, this does not mean that it can be used as a ‘get out of jail free’ card. To class a reason as legitimate interest you will need to show that you have tested the theory.

So, in reality, how do you do this?

You need to run a legitimate interest balance test. Here are some steps to help you, in line with the ICO advice:

1: Identify the legitimate interest(s).

Ask yourself;

  • Why do I want to process the data – what am I trying to achieve?
  • Who benefits from the processing? In what way?
  • Are there any wider public benefits to the processing?
  • How important are those benefits?
  • What would the impact be if I couldn’t go ahead?
  • Would the use of the data be unethical or unlawful?

2: Apply the necessity test.

Ask yourself;

  • Does this processing actually help to further that interest?
  • Is it a reasonable way to go about it?
  • Is there another less intrusive way to achieve the same results?

3. Complete a balancing test.

Ask yourself;

  • What is the nature of my relationship with the individual?
  • Is any of the data particularly sensitive or private?
  • Would people expect me to use their data in this way?
  • Am I happy to explain it to them?
  • Are some people likely to object or find it intrusive?
  • What is the possible impact on the individual?
  • How big an impact might it have on them?
  • Am I processing children’s data?
  • Are any of the individuals vulnerable in any other way?
  • Can I adopt any safeguards to minimise the impact?
  • Am I offering an opt out?

If you can show you have considered these questions and the impact is minimal, reasonable and restricted, then you will have a basis for legitimate interest.

 

TIP

Turn the steps into a table to help you to see the flow and you can then keep this document for your records and store in your GDPR folder.

Please note: we are not lawyers or GDPR experts and we provide advice to the best of our knowledge based on the current information available and without prejudice. GDPR remains the ultimate responsibility of the business owner and we encourage you to always do your own research.

Related Posts

Get a quick quote
close slider

Get a quick quote

  • We take your privacy seriously and will never pass your details on to third parties. When you contact us we will store your personal details to contact you and to email you updates and offers from time to time in the future.

  • This field is for validation purposes and should be left unchanged.