The Data Protection Network (DPN) has released guidelines around the use of Legitimate Interests to justify processing of data under the EU’s General Data Protection Regulations (GDPR). These guidelines have been supported by the UK Information Commissioners Office and the Data Protection Commissioner of Ireland, but as we’re not lawyers please do take proper legal advice (although we can’t believe anyone would really trust legal “advice” from a PR agency).
The GDPR has set out 6 lawful grounds for processing personal data. Along with consent, one of the most important grounds is the “Legitimate Interests”. As one of these legitimate interests is processing data for direct marketing purposes, this is an important topic for marketers.
Although processing can be necessary for the legitimate interest pursued by the controller or by a third party, there are interests which can be overridden by the interests or fundamental rights and freedoms of the data subject. So it’s not possible for an organization to simply cite direct marketing as a legitimate interest and carry on processing data for this purpose without any impact from the GDPR.
There are 3 stages that organizations must go through to assess whther a legitimate interest applies:
- Assess whether the legitimate interest exists
- Establish whether the particular processing activity is essential for the pursuit of the legitimate interest(s)
- Perform the balancing test to decide whether a particular processing activity can be undertaken on the basis of the legitimate interest’s condition.
Transparency is also a key part of the GDPR. So even if a legitimate interest applies, organizations must fulfil GDPR’s enhanced transparency requirements: they must inform individuals when the process is being undertaken on the basis of legitimate grounds and what they are. The individual(s) then have the right to object to any process being undertaken on the basis of the legitimate interests’ condition. The DPN has suggested taking a more layered approach, with a click through to a more detailed information on the legitimate interests ground. It was then suggested that more innovative businesses may want to take advantage of privacy enhancing tools, such as adding branded logos, videos and dash boards.
Although more businesses are focusing on the legitimate interests ground to justify certain activities as consent is hard to obtain under the GDPR, legitimate interests grounds still requires a careful thought process and it’s important to document the analysis as part of an organizations compliance story.
Each individual still continues to have the right to object any personal data being used, and although businesses may be able to override this on the basis they can show compelling legitimate interest it’s unlikely that direct marketing will trump an individual’s objection. So it’s essential to allow subjects to opt out easily, and provide capabilities to erase their data.
The GDPR have suggested that organizations should all aim to process data for activities that are in a controller’s or a third parties legitimate interests and benefit individuals. The orgnaisations should explain the benefit to the data subjects; for example to ensure that they are shown adverts for products or services they might be interested in. Organizations need to positively enable individuals to choose not to have their personal date used in a certain way, such as brand friendly privacy dashboards. They should also ensure they have the technical means to act on an individual’s objection.
Disclaimer: We’re not lawyers, so please do not take any of this information as legal advice. Hopefully it gives you some ideas, but please do consult with trained legal professions, particularly as it looks like some of the GDPR will be open to interpretation by the courts.