GDPR and legitimate interest: What is it and have you got it?

In a new series, MyCustomer speaks with a panel of experts to try to bring clarity to some of the more opaque areas of the impending General Data Protection Regulation (GDPR).

In the first of the series, we examine the issue of “legitimate interest”.

GDPR indicates that organisations can continue to lawfully process personal data from their existing database (i.e. without repermissioning) if they can demonstrate “legitimate interest”. But what constitutes “legitimate interest” and how can organisations find out whether their use of customer data qualifies as “legitimate interest”?

What is legitimate interest?

Paul Laughlin, founder, Laughlin Consultancy

Legitimate interests are those uses of personal data by a data controller that are deemed necessary (e.g. to provide the product or service) or reasonably to be expected by a data subject. A clear example of the latter is the basis of an existing customer relationship.

Given direct marketing (for example) is accepted as a legitimate business interest, prior data capture and comms with customers should have set an expectation of being marketed (e.g. regarding related products/services/upgrades). From then on, it is reasonable to keep marketing such customers, if they are provided with a clearly identified way to opt-out (at any point). There is still a need to explain the basis on which you are marketing them, so the bigger challenge might be getting that wording into plain English (e.g. don’t say “legitimate interest).

Plus, it’s also important to realise that GDPR makes clear an expectation of a balance being struck. Any ‘legitimate interest’ must not override the fundamental right or freedoms of an individual (data subject). A clear example of this is the greater scrutiny of your treatment of children in this regard. GDPR expects data controllers to consider suitable protections for children. I would suggest this includes data controllers needing to identify them in their datasets and thinking twice before marketing them on this basis. This balance should also prompt marketers to think about the relevance & timing of such marketing – as clearly inappropriate marketing might well be harder to defend.

Will Kemble-Clarkson, managing consultant, Ctrl-Shift

The litmus test for legitimate interest is “would you customer be surprised (in a bad way) if you told them about it?”. If the answer is “yes” then you’re better off getting consent. Legitimate interest is relatively weak grounds for processing/ You have to inform your customer in the information notice (the mandatory notification of how the company is enabling the customer’s data rights) so if they don’t agree with the grounds for legitimate interest they can a) walk away and b) challenge it. Clearly, neither of these options are good for business.  

Iain Lovatt, chairman, Blue Group Inc

Many actions can constitute as legitimate interest. Some of the most obvious include credit checks and risk assessment, to comply with law enforcement and regulatory bodies, for employment data processing, and product development and improvement. In the world of marketing, personal data may be processed under legitimate interests for the purpose of suppressions (holding on to limited data to ensure marketing communications are no longer sent), for website personalisation and direct marketing (a charity sending a postal mailshot to existing supporters, for example).

Many marketers were thrown a curve ball when they read in the GDPR guidelines that “processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”. My understanding is that this means businesses can continue to send marketing to those individuals who have already consented, pre-GDPR. Assuming, of course, they originally sought consent and processed their data legitimately (i.e. compliant to PECR, the existing electronic communication laws).

In all instances of legitimate interest, there remains the requirement for several things: to justify that your plans to use their data are necessary; to make it clear to individuals how you plan to use their data; and that you have given individuals a clear, easy opportunity to exercise their right to object to this data processing.

Jim Roberts, director and founder, BlacklerRoberts

The GDPR mentions a lot of interests from Public, Data Subject, Legal, Contractual and Legitimate Interest, which could be used to process personal data. Looking specifically at “Legitimate Interest” there are several statements in the GDPR which point to using this to continue processing personal data, namely (please note these are paraphrased):

• Recital 47 - The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
• Recital 69 - Where personal data might lawfully be processed on grounds of the legitimate interests of a controller or a third party, a data subject should, nevertheless, be entitled to object to the processing of any personal data relating to his or her particular situation. It should be for the controller to demonstrate that its compelling legitimate interest overrides the interests or the fundamental rights and freedoms of the data subject.
• Article 6(f) - processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

So from this, “legitimate interest” can be used, but the controller has to demonstrate and as per Article 13(d) tell the data subject of the interest, with the ability still available to object to this processing.

Recital 47 has caused the most excitement and been interpreted as a blanket licence to process personal data, but I believe can be looked at from two point of views which as an analogy can be looked at as taking a journey in a car, where you have the initial starting point (key to start car) which is the initial contact point and then you have the rest of the journey involving acceleration, braking, indicators, etc. All important for the journey but without the start you have no journey.

For direct marketing the second part can use “legitimate interest” in a lot of cases, so for example:

• Suppressions – In most cases probably a legal reason, so a legitimate interest to process data to pass against 3rd party suppression datasets (Mortality, TPS, etc.).
• Personalisation – To help make the communication/experience more relevant and contextual.
• Quality – To enhance\validate the personal data (e.g. PAF).

In contrast for the first part (starting the car in our analogy) there are examples of legitimate interest, but I believe they are more limited and include:

• Existing Conversation – Yes if they have initiated a relationship asking about a certain product and you are continuing this conversation, but not to then send unrelated communications on other products/services. This falls into the expected processing, as the customer would expect to be responded to / or continue conversation. There is a time limit on this however, as a conversation started n years ago would struggle to be classed as legitimate interest. The collection of business cards at events comes into this area, so a follow up contact specifically about the event would be legitimate but not the continued communication n years later.
• Adding Value – This means adding value to the data subject, so a reminder of an insurance renewal.

As with car journeys you will complete lots of customer contact journeys and for each start you will need to understand if legitimate interest can be used, once on the road I believe it can be applied a lot more freely. In addition, the ICO are still to publish guidance on this topic and this is due next year, so I expect further clarity to come and having a quick look at the new UK Data Protection bill I can see no further clarity offered as of yet.

How can organisations find out whether their use of data constitutes legitimate interest?

Paul Laughlin

A number of sources of information are available to check on activities that constitute legitimate interests. Two examples cited in GDPR recitals are direct marketing and fraud prevention, as well as data processing deemed as being in the public interest. Beyond those, I would advise leaders to browse the wealth of material already being published by both the ICO, the IDM, the DMA, as well as many major legal firms (or read the GDPR recitals yourself).

It is also worth noting that the EU is currently working on an e-Privacy directive that will override this for emails, texts, etc – so keep an eye on any further restrictions to be expected within a year or two.

Will Kemble-Clarkson

The ICO won’t give guidance on this until January so the best advice is test it out with customers. If there’s a consensus on what the business and the customer consider to be legitimate grounds for processing (and it can be evidenced) then that’s a sound case to agree with the regulator.

Iain Lovatt

Businesses hoping to use legitimate interests to process customer data will need to identify and articulate this purpose to individuals. They should also conduct a Legitimate Interest Assessment to show that the processing is necessary (be that a legal obligations, because an individual has entered into a contract or asked to enter into a contract, to protect an individual’s ‘vital interests’ and so on).

The third requirement is a balancing test, which will establish whether your interests outweigh that of the data subject. Note, this is a subjective test that will need to be documented and made available to the relevant authorities if needs be.

Micky Khanna

Slightly more tricky to answer this, but if they obtained the customers personal information within the guidelines of GDPR (originally) then they can be confident that they tick the legitimate interest box.

If they can't be sure whether they obtained the customer data within the guidelines of GDPR (originally) then they need to either go back through their database to categorise the data so that they comply (and to do this is quite a delicate operation as they won't want to trouble their customers into having to authorise consent again), so one idea might be to inform their database that they’re about to update to their privacy policy and t's & c's in order to reflect the coming changes and to request their database to read and approve these or they'll be removed from the database.

Jim Roberts

The DPN (Data Protection Network) have published a guide on this including a Legitimate Interests Assessment (LIA) template, which is fairly comprehensive and covers the key questions to ask on this.