How to minimise the GDPR headache
Can “legitimate interests” avoid us having to seekopt-ins for GDPR?
Unless you have been living on a different planet in the last 18 months or so, you should be well aware that…..
On 25 May 2018, GDPR (General Data Protection Regulation) will come into force and if your business holds staff, customer and supplier data, you’ll be affected.
I think it’s safe to say that you’ll already have been harangued to near death about GDPR and have probably received more emails about it than you know what to do with.
Most organisations seem to have assumed the default position that they have to email everyone on their database and obtain their express permission to receiving further communications from them after 25th May.
But is this actually always necessary?
I suggest you take quick read of this:-
The generally accepted standard position is that obtaining opt-ins from contacts is going to be necessary if you wish to continue emailing them after the 25 May.
However, if you can rely on the “legitimate interests”clause, then this may very well not actually be necessary.
So, what exactly are “legitimate interests”?
According to the Information Commissioner’s Office or ICO, legitimate interests is the most flexible lawful basis for processing or retaining data,As a business, however, you can’t automatically assume it will be appropriate for all of your data processing.
Before you can rely on the legitimate interests clause you will need to take on the extra responsibility of ensuring people’s rights and interests have been fully considered and protected.
Some examples which could be considered a legitimate interest are:
- the processing of personal data for direct marketing purposes
- a direct appropriate relationship, such as a client and
- If an individual has a reasonable expectation that their data will be processed.
A closer look
If you’re a charity for example, you might want to contact your existing supporters to update them on how their donations are being used. This could be classed as a legitimate interest.
Before any data was processed though, the charity would need to do a LIA (Legitimate Interests Assessment).
Firstly, you’ll need to think about:
- Why you want to process the data
- Who benefits from the processing and in what way
- If there are any wider public benefits
- The impact if you couldn’t go ahead and
- If the use of data is unethical or unlawful in any way.
Then you’ll need to conduct a necessity test to decide:
- If the processing will actually further your interest
- If it’s a reasonable way to go about it and
- If there is a less intrusive way to get the same result.
Finally, you’ll need to considerthe following to decide if the impact of your processing overrides the interest you have identified:
- What is the nature of your relationship with the individual?
- Is any of the data particularly sensitive or private?
- Would people expect you to use their data in this way?
- Are you happy to explain it to them?
- Are some people likely to object or find it intrusive?
- What is the possible impact on the individual?
- How big an impact might it have on them?
- Are you processing children’s data?
- Are any of the individuals vulnerable in any other way?
- Can you adopt any safeguards to minimise the impact?
- Can you offer an opt-out?
Once you’ve been through this rather long checklist, you need to decide if you still think legitimate interests is an appropriate basis for you. There’s no absolute formulabut you need to be confident that your legitimate interests are not overridden by the risks above.
If legitimate interests can be used..
If your need for the data changes, a new LIA should be carried out and with direct marketing, an individual still has the opportunity to opt-out even if legitimate interests have been proven.
Although it can seem daunting, there is a common-sense approach we can all adopt to GDPR. Ifsomeone asks a question about their data you would need to show that your business has considered the risk of obtaining and using it and also be ready to explain your policies and procedures.
The ICO would want to see that consent is being taken to collect data and then to hold that data.
You can find more information about GDPR on our blog.