Tag Archives: consent

legitimate interests and consent

GDPR. Legitimate Interests and Consent.

In this blog, we’ll discuss the pros and cons of legitimate interests and consent. It can be tricky working out the lawful basis (or bases) with which the data processing activities of your organisation are best defined and justified. They will vary across different business areas and between – and even within – industries.  Legitimate interests and consent tend to be most relevant to the private and third sectors and have become the subject of much discussion among marketing and other data-centric professionals.

But first, a bit of context. The General Data Protection Regulation (GDPR) provides six lawful bases for processing, a couple of which are fairly straightforward to understand. For instance, legal obligation is an obvious lawful basis in some circumstances, such as processing accident information for a report to comply with Health & Safety regulations. Almost all professionals will have some experience with this lawful basis of processing. But what about legitimate interests and consent? These have very specific requirements under the GDPR, and it’s important to be familiar with them.

What are the Legal Bases?

The six lawful bases under the GDPR are as follows:

  • Consent:  the individual (data subject) has provided clear, positive consent for you to process their personal data for a specific purpose.
  • Contract:  the processing is necessary for a contract you have with the data subject, or because they have asked you to take specific steps before entering into a contract.
  • Legal obligation:  the processing is necessary for legal compliance (other than contractual obligations).
  • Vital interests:  the processing is necessary to protect someone’s life.
  • Public task:  the processing is necessary to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
  • Legitimate interests:  the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

These are not hierarchical.  You must select the single most appropriate legal basis for the activity and purpose for which you are conducting the processing. There are simple steps you can take to help you decide between legitimate interests and consent.

When and How do I Use Legitimate Interests?

Article 6 of the GDPR grants legitimate interests as a lawful basis if the processing is “necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

Legitimate interests is widely used for marketing and some areas of HR.

So how do we know if this is the case? Well there’s a three-step test, which has been approved by the Information Commissioners Office (ICO) summarised below.  This is known as a Legitimate Interests Assessment (LIA).

  1. Purpose test: are you pursuing a legitimate interest?
  2. Necessity test: is this processing necessary? Crucially, could this legitimate interest be pursued without the processing of personal data?
  3. Balancing test: do the individual’s rights override the organisation’s legitimate interests?

It’s important to have these LIAs established and documented prior to any processing. But if you think your organisation could use genuine legitimate interests, here are some benefits:

  • It is the most flexible lawful basis for processing. There are a wide range of legitimate interests, including commercial.
  • Going through an LIA is always useful: you may find ways of streamlining your data processing to what is strictly necessary and limiting your privacy impact.
  • You don’t need to be disruptive or pestering to a data subject with a consent request to which no one would reasonably object.
  • It can also be used for some routine internal processes such as HR.

When and How May I use Consent?

More and more people will be aware of the GDPR’s tightening of the consent definition, but here’s a quick recap: consent is a lawful basis for data processing if…

“The data subject has given consent to the processing of his or her personal data for one or more specific purposes.”

It is the specificity of the purpose for which a data subject’s information is being processed that’s important to remember. Consent must be informed, which means you must tell the individual what data you are collecting, the reason why, and what you will do with it.  Evidence of consent must be captured. And remember, data subjects may withdraw consent at any time they wish.

Some other benefits of using consent include:

  • It’s a very strong, unambiguous ground for processing. You asked, and they said yes. As long as you have evidence, it is difficult to argue with.
  • Consumers, in certain contexts, may trust you more for having asked, and may appreciate your concern for data protection rights.
  • It allows individuals to understand and engage with how their own data is being used, fostering a mutual respect for data rights.

If you have any questions about the legal basis for processing, including LIAs or Consent requirements, please contact us via email team@datacompliant.co.uk or call 01787 277742

Harry Smithson, 29th September 2019

 

The GDPR and Profiling

Profiling is a very useful tool which marketers have been using for decades to understand their customers better and to target them appropriately.  However, the GDPR does make some changes to how profiling is considered which should be considered carefully before profiling is undertaken.  For the first time, profiling has been included with automated processing decision-making and the same rights apply to the individuals whose information is being profiled. So how does this affect businesses?

Profiling Benefits

There are obvious benefits both to businesses and consumers in relation to profiling, which is used in a broad number of sectors from healthcare to insurance, retail to publishing, leisure to recruitment.

It is also an extremely useful tool for marketers, providing benefits of increased efficiency, savings in resource, and the financial and reputational benefits of understanding customers and establishing more personal, relevant communications with them.  The customer or individual benefits in turn from receiving fewer communications, and far more relevant messages.

What is profiling?

The GDPR defines profiling as: “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”

Profiling can be as simple as segmenting your own customers into groups based on gender, purchase history, and other data that the customer has provided to you during your relationship.  It becomes more complex when additional data is added to the mix, for example, adding to the information your customer has provided you, by applying data from external sources such as social media, or providers of geo-demographic or lifestyle data.

Profiling and the GDPR

As with all processing under the GDPR, those who profile individuals have responsibilities to those individuals.  Profiles must be accurate, relevant, and non-discriminatory.  All 6 GDPR Principles become critical as profiles are evolutionary, and over time, individuals’ profiles will change. So accuracy and retention are critical.  Privacy by design is key.  As is the requirement that individuals must be made aware of such profiling and of their right not to be subject to such decisions.

It’s worth noting that automated decisions can be made with or without profiling.  And the reverse is also true – profiling can take place without making automated decisions.  It’s all a matter of how the data is used.  Where manual decisions are made, Article 22 does not apply.

Consent or Legitimate Interests?

The legal basis under which profiling takes place is a matter for careful consideration.  There has been debate over whether profiling requires the consent of the individual who is being profiled, or whether legitimate interest may apply.

There will be instances where the impact of the profiling will have a legal or significant effect – for example, in financial services (mortgage yes or no), or when marketing to vulnerable customers – for example, gambling products to those in financial difficulty.  Where profiling is considered to have a legal or significant effect, an organisation will need to rely on the legal basis of Consent before profiling and making decisions on the basis of such profiling.

However, in many cases, marketing will not have such an impact, and in those cases, consent will not be required.  Instead it may be possible to rely on Legitimate Interests.  BUT before such a decision is made, a Legitimate Interest Assessment will need to be conducted.  This will need to consider the necessity of the profiling, the balance of benefits to the individuals versus the business, and the measures taken to protect the personal data and profiles involved.

The Legitimate Interest Assessment will not only help you determine whether it is appropriate to conduct the profiling on this basis, it will also provide evidence that the individuals’ rights have been considered, contributing to the business’s need to meet the GDPR’s new principle of Accountability.

Victoria Tuffill  7th March 2018