Legitimate Interest is what is most likely to be the most flexible of the six Lawful Basis. When used properly Legitimate Interest can be your saviour but if used improperly, can be a lit firework just itching to burn your reputation and your pocket.
A Legitimate Interest can be;
- something in the interest of the business (data controller);
- something in the interest of the individual (data subejct);
- something in the interest of another party; or
- any combination or all of the above.
providing the processing is necessary, there is little risk of infringing upon the rights of hte individual, and they would consider the proposed use of their information reasonable.
Here are some examples of Legitimate Interests;
1. Direct Marketing by Post - Legitimate Interest of the Business
You may determine that it is in the Legitimate Interest of your business to market via postal messaging your products and services to those persons who have previously purchased or expressed interest in purchasing from you. You may also infer from an enquiry or previous purchase that the customer has an interest in your products or services, and would be interested to hear about offers relevant to them.
So, if during the course of business, either as a sale, or an enquiry, you
- capture the personal data of interested customers,
- tell those customers their personal data will be used for postal direct marketing, and
- provide them a means to object to that marketing
you may use the above legitimate interest of your business, and that of the individual, to send them postal direct marketing for similar products and services.
Don't forget however, that you must screen all direct marketing lists against the "Mailing Preference Service" and suppress from any mailings, anyone who has registered on that service after the date you obtained thier information.
Some less ethical businesses leverage a potential loophole in the law which allows the sending of "untargetted" direct mail to the household ("the occupier" or similar). We do not condone or recommend this as it is not in the spirit of the GDPR. Such businesses claim that as the mailing is not addressed to an individual, the data is not personal data however we would argue that it still may be. Consider the scenario that only one person lives at an address, in which case, any mail sent to that address is to that individual, even though they are unnamed.
2. Direct Marketing by Phone, SMS, Email or Social Media - Legitimate Interest of the Business
In a similar vein to Direct Marketing by Post, you may during the course of a business enquiry or purchase transaction, collect a person's email address, phone number and/or social media contact details. Again, providing during the course of that transaction you make it clear that the information will be used for marketing and give them the opportunity to opt out, you can again use Legitimate Interest as a means of marketing without explicit consent. This is called the "Soft Opt-In" rule.
3. Marketing to "Third Party Lists" - Legitimate Interest of the Business
Many businesses purchase lists of prospects from reputable sources. Providing those lists are properly consented for third-party marketing by the list broker, and your "offer" is compatible with the subject matter of that third party consent, a similar Legitimate Interest to the above could be used to market to these people.
During the recruitment process you may obtain the CV's of numerous candidates, which you are requried by law to retain for six months in case of a candidate lodging a discrimination case, however you may decide as a business to retain this information for longer, which you would do under Legitimate Interest.
it may be valid to suggest that retaining those candidate's CV's for 12 or 18 months is within your legitimate interest to have access to a pool of potential suitable candidates for roles which may arise in your business. it is also in the interest of the job seeker to be considered for those roles. If you choose to do this however, it would be best practice to offer an opportunity to object to that information being retained beyond your legal obligation.
Legitimate Interest Assessments (LIA's)
With any processing based on Legitimate Interest, you must conduct a Legitimate Interest Assessment.
Split into three sections, you must demonstrate;
- The Purpose Test
- Why do you want to process the data
- Who will benefit from it's processing and in what way
- Are there any wider benefits to the processing, such as a public interest
- How important are these benefits
- What would the impact (or potential impact) be if the processing did not happen
- Is the processing ethical and expected
- The Necessity Test
- Does the proposed processing help to meet the purpose
- Is there any other ways in which the purpose could be met without this processing
- If the processing a reasonable means to achieving that purpose
- The Balancing Test
- What is the nature of your relationship with the data subjects
- What categories of data are to be processed and are any particularly sensitive or private
- Would people reasonably expect the data to be used for this purpose, and would you be happy to explain it to them
- Would people find it intrusive and what kind of impact might it have upon them
- What safeguards have been adopted to minimise any impact
- Are any of the data subjects considered vulnerable
When is a Legitimate Interest not a "Legitimate Interest"?
Some may argue, like the site one of our team visited recently, that placing of Advertising Cookies on someone's website is in the legitimate interest of the AdTech agency who gets paid to serve up ad's, and in the interest of the website owner, who often also receives income from this.
It could also be argued that it is in the Legitimate Interest of the individuals who will receive advertising messages through cookie processing, that those ads are "relevant" to thier interests.
While these may be fundamentally true and valid definitions of a legitimate interest, the reality is (certainly in the case of cookies) that using legitimate interest as a lawful basis in this way, is a direct breaches the Privacy and Electronic Communications Regulations. All cookies that are not absolutely necessary for the functioning of the website must be consented, and the GDPR says that consent must be a freely given Opt In choice.
Playing "Devils Advocate", what if the sole purpose of a website is for displaying targetted advertising?
Well, in that case, you could argue that in order for the site to function as intended, the advertising cookies are necessary, so there is a potential legitimate interest.
In the case we note above, the site was displaying an article, it was an information resource, not an advertising site. Even if that article itself was an advert (sponsored article), then strictly speaking, I should still be able to choose to view that information resource without consenting to targetted adverts.
If you are a business driven by ethics, and you care about how your customers perceive you, they you should always have the mindset that "just because we can, doesn't mean we should".
The same principle applies when considering if you have a Legitimate Interest. Simply because one exists, does not mean that legitimate interest is the most appropriate lawful basis to rely upon for that processing activity.
Download our free Legitimate Interest Assessment template
We're more than happy to share this document from our comprehensive GDPR documentation toolkit for free, but we'd like ask for a few details from you just so that we can follow up with you in a few days to check how you're getting on, and also keep you updated with all the latest news and information around Privacy, Data Protection and Information Security.
To download the template, complete the form here and click submit. The download should start automatically.
Your Privacy is our priority
By completing your information here, we will use that information to follow up with you on your progress completing the template and to keep you informed periodically about all the things happening in the world of business, information security and data compliance.
You can unsubscribe any time you wish by clicking the link in our emails, or by contacting our team, or if you prefer not to receive our eNewsletter at all, we completely understand and ask that you simply untick the box to the left to indicate your choice.