GDPR: ICO publishes new guidance on legitimate interests – what you need to know

It’s understandable marketers are looking for an alternative to the complex and restrictive conditions under consent. After all, the GDPR says “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest” – and even the ICO has said previously: “If consent is too difficult, look at whether another lawful basis is more appropriate.”

Last week the ICO sneaked out new, detailed guidance on the use of legitimate interest as a legal ground, and I’ve done my best to quickly summarise the key points marketers need to be aware of. But I would urge all those grappling with GDPR to take a look at the guidance in detail, as although we’ve been kept waiting, it provides vital insight for compliance.

What’s changed?

Legitimate interest already exists under the Data Protection Act, and the ICO suggests the GDPR is not a huge departure. The three necessary elements – a legitimate interest, a necessity test, and balancing against the rights of the individual – remain. What GDPR has changed is the need to document your assessment and justify your decision, and tell individuals what your legitimate interest is. It adds if you currently process data on the basis of consent, and you don’t meet the GDPR standard yet, you could swap to legitimate interest.

The three-part test

The ICO has clarified the expectations around using legitimate interest as a basis for processing personal information. It breaks down the test to cover:

  • Purpose test – is there a legitimate interest behind the processing?
  • Necessity test – is the processing necessary for that purpose?
  • Balancing test – is the legitimate interest overridden by the individual’s interests, rights or freedoms?
  • Defining a legitimate interest

    The guidance gives succour in saying that “the interests do not have to be very compelling”, but that “you (or a third party) must have some clear and specific benefit or outcome in mind. It is not enough to rely on vague or generic business interests”.

    It’s not enough to say you have a legitimate interest in processing customer data, a more specific statement is required. An example provided by the ICO reads: “We have a legitimate interest in marketing our goods to existing customers to increase sales.”

    However, it adds to not forget about the word ‘legitimate’. Even though marketing is legitimate, “sending spam in breach of electronic marketing rules is not legitimate”. Something to consider as we continue to wait for the final revision of the new European e-privacy directive.

    The ICO also points out that the need for processing to be ‘necessary’ doesn’t mean ‘essential’, but it must be a targeted and proportional way of achieving your objective.

    Reasonable expectations

    Part of the balancing test is whether individuals would “reasonably expect” their data to be processed. The factors that might affect this could include:

    • What you tell them in your privacy statement
  • The relationship you have with them, and its nature
  • When you collected their data
  • Where you got it from
  • If you’re using new technology or processing their data in a way the subject would not anticipate.
  • Even if the impact on the data subject is negative, that doesn’t necessarily rule out the processing – you just need to weigh that balance more carefully.

    Author: Brandon

    Hello! My name is Brandon and I am a business coach, here on the pages of this site I want to share with you by my many years work experience. I hope that my experience will one day be useful to you! And if the life of at least one reader of my site been better, I will been happy and will know that I'm doing it for good reason!