On this date next year, the General Data Protection Regulation will have come into force across Europe and, even with Brexit on the horizon, in the UK, too.
Currently, the guidelines relating to what constitutes as 'legitimate interests' can differ between EU countries. However, an independent advisory board suggests the following assessment take place before any decision is made to process personal data:
- Determine if an interest is legitimate or illegitimate
- Determine whether processing is necessary to achieve the interest pursued
- Assess whether a data controller's interest is overridden by fundamental rights or interests of the data subjects
- Establish any additional safeguards
- Demonstrate compliance and ensure transparency
While these requirements will remain broadly equivalent under GDPR, data processors will need to be aware of new stipulations, including:
- The interests and rights of children. Data processors will have to ensure that any 'legitimate interest' uses are carefully documented and a risk assessment has been conducted
- 'legitimate interests' can no longer be relied upon by public authorities (a national, state or local governmental agency) in relation to data processed by them in the performance of their tasks
1. What are 'legitimate interests'?
Examples of when processing could be permitted include fraud prevention, internal administrative purposes, ensuring network and information security, and reporting possible criminal acts.
2. Will I be required to keep records?
If you are a controller that relies on ‘legitimate interests’ for data collection, then a record will be needed to show that proper consideration has been given to the rights and freedoms of data subjects.
Read more about GDPR
- GDPR: Seven questions about marketing consent
- GDPR: Seven questions about data subject rights
- GDPR: Four questions about data profiling
- GDPR: Four questions about data and 'legitimate interests'
- GDPR: Seven questions about personal data breaches
3. Can all businesses use the 'legitimate interest' route?
As mentioned, public authorities cannot use the 'legitimate interest' route. 'Legitimate interest' can only be used for post and telephone marketing. Other methods (email, SMS and automated calls) require consent.
4. Can individuals object to this form of data collection?
Data subjects have the right to object to processing under legitimate interests. Individuals can unsubscribe/opt out of the processing of their personal information. You will also have to check if the individual is registered on any suppression lists before contacting them.
What stage are you at with your preparations for GDPR? Our compliance specialists can help assess the condition of your database and offer assistance with issues relating to contracts, policies and other marketing practices.
To find out more, please click the link below or email us at firstname.lastname@example.org