Industry group issues guidance on GDPR legitimate interests
The Data Protection Network (DPN) has published guidance on legitimate interests under the EU General Data Protection Regulation (GDPR). This practical tool is aimed at helping commercial and not-for-profit organisations to decide whether or not they can rely on legitimate interests as a lawful basis for processing.
The guidance suggests that organisations carry out a Legitimate Interests Assessment (LIA) wherever they seek to rely on legitimate interests, even where the balance of interests is clearly in favour of the controller. The three stages of a LIA are
1. Identify a Legitimate Interest
2. Carry out a Necessity Test
3. Carry out a Balancing Test.
In terms of identifying a legitimate interest, organisations need to note that any third parties would have to conduct their own LIA for their own processing purposes.
To conduct a necessity test, the authors suggest that organisations simply ask themselves whether there is another way of achieving the identified interest.
When carrying out the balancing test, organisations should consider the reasonable expectations of the individual, the type of data, the nature of the interests of the data controller (for example, public interest), and any possible harm to the individual as a result of the processing.
The guidance is a joint effort by the Direct Marketing Association, ISBA (British advertisers) and representatives of some of the largest companies and institutions in the UK.
The ICO supports the central concept of a Legitimate Interests Assessment (LIA), and documenting this process on a template. This initiative will help organisations to demonstrate accountability and transparency.
The authors stress that in its Draft Consent Guidance published earlier this year, the Information Commissioner’s Office stated that consent should be used only when a genuine choice can be offered. If not, other grounds for processing should be considered.
The DPN guidance includes a template for conducting a Legitimate Interests Assessment (LIA), and examples of where a legitimate interest might apply.
Robert Bond, Chairman of the Data Protection Network and Partner and Notary Public at Bristows LLP said, “I am delighted that the Data Protection Network and other collaborators have been able to publish this guidance. I appreciate the work of all involved and the Information Commissioner’s Office for valuable scrutiny and comment. This guidance will be kept under review and updated as necessary.”
See https://www.dpnetwork.org.uk/dpn-legitimate-interests-guidance/ (registration with DPN is required to access the guide).