Processing personal data under GDPR – with a focus on ‘legitimate interests’

Binary Code Print publication


The basics

In order to be able to process personal data, organisations must have a lawful basis/bases for each processing operation. If there is no lawful basis, the processing will be unlawful. There are six lawful bases under GDPR:

  • consent
  • contract
  • legal obligation
  • vital interests
  • public task
  • legitimate interests.

Importantly, public authorities will not be able to rely on ‘legitimate interests’ as a lawful basis for carrying out data processing when performing their tasks as a public authority. They will need to consider the new ‘public task’ basis for most of their processing.

The ICO says that organisations now need to review their existing processing, identify the most appropriate lawful basis and check that it applies – in many cases it is likely to be the same as the existing condition for processing used under the Data Protection Act 1998 (DPA). The ICO recently published a lawful basis interactive guidance tool, to help organisations assess which lawful basis is likely to be most appropriate for their processing activities.

Below are key points arising from the section of the ICO’s Guide on lawful basis for processing:

  • Failure to clearly identify from the start the most appropriate lawful basis/bases is a breach of GDPR. Organisations should try to get it right first time.
  • The lawful basis being relied on for each processing purpose, and the justification for relying on it, should be clearly documented to meet GDPR’s new accountability requirements. Organisations need to be able to demonstrate that the lawful basis applies.
  • Individuals must be informed by 25 May 2018 about the lawful basis for processing their personal data. See the right to be informed section of the Guide for more details.
  • The information should be included in all future privacy notices.
  • The choice of lawful basis can affect the availability of certain individual rights (for example, the right to object or the right to data portability). Note that the right to object to processing for the purposes of direct marketing will always apply. See the individual rights section of the Guide for more details.
  • The processing must be a targeted and proportionate way of achieving the stated purpose.
  • When deciding which lawful basis applies, organisations must remember that there is no ‘one size fits all’ approach. The ICO says that “no one basis should be seen as always better, safer or more important than the others, and there is no hierarchy in the order of the list in the GDPR”. It also says that “you should always use the one that is most appropriate to the circumstances having considered the purpose of the processing”.
  • There are certain considerations to be taken into account if the original purpose for the processing changes over time or there is a new purpose.
  • Special provisions apply in relation to special category data (this is broadly similar to the existing concept of sensitive personal data) and criminal offence data – see the relevant sections of the Guide for details.

The ‘legitimate interests’ basis

The ICO recently published detailed guidance on legitimate interests, to help organisations decide when to rely on legitimate interests as the lawful basis for processing personal data, and when to consider the alternatives.

GDPR describes this lawful basis as processing “necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”.

The following key points arise from the ICO’s guidance on this topic:

  • The legitimate interests lawful basis is similar to the legitimate interests condition under the DPA, with some changes to the wording. The ICO says that it “could in principle apply to any type of processing for any reasonable purpose” and this basis “is likely to be most useful where there is either a minimal impact on the individual, or else a compelling justification for the processing”.
  • Organisations can consider the legitimate interests of any third party, including the wider benefits to society.
  • As the legitimate interests basis is more flexible and wide-ranging than the alternatives, those choosing to rely on it take on additional responsibility for considering and protecting people’s interests, rights and freedoms. It may be more difficult to justify why this basis applies.
  • There are three parts to the legitimate interests basis. Organisations should:
    • identify a legitimate interest (the purpose test);
    • show that the processing is necessary to achieve it (the necessity test); and
    • balance it against the individual’s interests, rights and freedoms (the balancing test).
  • The ICO encourages organisations to assess each of these by carrying out a legitimate interests assessment or LIA – “a type of light-touch risk assessment based on the specific context and circumstances of the processing” – and to document the outcome. The LIA may identify the need to carry out a Data Protection Impact Assessment. LIAs, and the practical application of the three-part test, are considered in the section of the detailed guidance headed How do we apply legitimate interests in practice?
  • The balancing test is wider than a harm-based assessment. GDPR provides that if the individual does not reasonably expect the processing, their rights may override the organisation’s legitimate interests. This is an objective test. Examples of this, and more on the application of the three-part test, can be found in the section of the detailed guidance headed What is the ‘legitimate interests’ basis?
  • The section of the detailed guidance headed When can we rely on legitimate interests? provides specific examples of when this basis can be used and when it should be avoided.
  • The legitimate interests basis cannot be used to legitimise processing which is unlawful under other legislation (for example, e-privacy legislation requiring that individuals give their consent to some forms of electronic marketing).
  • More detail is required in the privacy notice to comply with the right to be informed.
  • The right to data portability does not apply to personal data processed on the legitimate interests basis.
  • There are a number of benefits to choosing legitimate interests, including: its flexibility and potentially wide-ranging application; and helping to avoid what the ICO describes as ‘consent fatigue’.