Can legitimate interests avoid us having to seek opt-ins for GDPR?

Unless you have been living on a different planet you should be well aware that in 2018, GDPR (General Data Protection Regulation) came into force. This makes the concept of legitimate interests very important, so read on to find out what it is.

Many organisations assumed the default position that they had to email everyone on their database and obtain their express permission to receiving further communications from them after that date.

But is this actually always necessary?

I suggest you take quick read of this:-

The generally accepted standard position is that obtaining opt-ins from contacts is necessary if you wish to email them after the 25 May 2018.

However, if you can rely on the “legitimate interests” clause, then this may very well not actually be necessary.

So, what exactly are “legitimate interests”?

According to the Information Commissioner’s Office or ICO, legitimate interests is the most flexible lawful basis for processing or retaining data. As a business, however, you can’t automatically assume it will be appropriate for all of your data processing.

Before you can rely on the legitimate interests clause you will need to take on the extra responsibility of ensuring people’s rights and interests have been fully considered and protected.

Some examples which could be considered a legitimate interest are:

  • the processing of personal data for direct marketing purposes
  • a direct appropriate relationship, such as a client and
  • If an individual has a reasonable expectation that their data will be processed.

A closer look

If you’re a charity for example, you might want to contact your existing supporters to update them on how their donations are being used. This could be classed as a legitimate interest.

Before any data was processed though, the charity would need to do a LIA (Legitimate Interests Assessment).

Firstly, you’ll need to think about:

  • Why you want to process the data
  • Who benefits from the processing and in what way
  • If there are any wider public benefits
  • The impact if you couldn’t go ahead and
  • If the use of data is unethical or unlawful in any way.

Then you’ll need to conduct a necessity test to decide:

  • If the processing will actually further your interest
  • If it’s a reasonable way to go about it and
  • If there is a less intrusive way to get the same result.

Finally, you’ll need to consider the following to decide if the impact of your processing overrides the interest you have identified:

  • What is the nature of your relationship with the individual?
  • Is any of the data particularly sensitive or private?
  • Would people expect you to use their data in this way?
  • Are you happy to explain it to them?
  • Are some people likely to object or find it intrusive?
  • What is the possible impact on the individual?
  • How big an impact might it have on them?
  • Are you processing children’s data?
  • Are any of the individuals vulnerable in any other way?
  • Can you adopt any safeguards to minimise the impact?
  • Can you offer an opt-out?

Once you’ve been through this rather long checklist, you need to decide if you still think legitimate interests is an appropriate basis for you. There’s no absolute formula but you need to be confident that your legitimate interests are not overridden by the risks above.

If legitimate interests can be used..

Keep a copy of your LIA in case it’s needed and outline your use of legitimate interests within your privacy policy.

If your need for the data changes, a new LIA should be carried out and with direct marketing, an individual still has the opportunity to opt-out even if legitimate interests have been proven.

Just remember..

Although it can seem daunting, there is a common-sense approach we can all adopt to GDPR. If someone asks a question about their data you would need to show that your business has considered the risk of obtaining and using it and also be ready to explain your policies and procedures.

The ICO would want to see that consent is being taken to collect data and then to hold that data.

Need further advice on any of the topics being discussed? Get in touch and see how we can help.

    By submitting this form you agree to our Privacy notice and Terms and conditions.
    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

    Avatar for Jon Pryse-Jones
    About Jon Pryse-Jones

    Since joining THP in 1978, Jon Pryse-Jones has been hands on with every area of the business. Now specialising in strategy, business planning, and marketing, Jon remains at the forefront of the growth and development at THP.

    An ideas man, Jon enjoys getting the most out of all situations, “I act as a catalyst for creative people and encourage them to think outside the box,” he says, “and I’m not afraid of being confrontational. It often leads to a better result for THP and its clients.”

    Jon’s appreciation for THP extends to his fellow team members and the board.  “They really know how to run a successful business,” he says.  He’s keen on IT and systems development as critical to success, and he continues to guide THP to be at the cutting edge and effective.

    Join The Conversation
    ICAEW
    Cyber Essentials Plus certification
    Sign up for our Newsletter