GDPR and legitimate interest: What you need to know

GDPR and legitimate interest: What you need to know

Polly Kay

Polly Kay
17th July 2019

Getting to grips with GDPR compliance can represent a steep learning curve for businesses that don’t have the benefit of their own dedicated in-house legal department, and despite the fact that GDPR is now over a year old, there are still some elements of it that are by no means intuitive to many data controllers. An example is ‘legitimate interest’, one of six lawful bases for personal data.

Within this article, I will explain what constitutes a legitimate interest under the remit of GDPR, share some GDPR legitimate interest examples, and explain GDPR legitimate interest direct marketing applications that might be relevant to your business too.

A brief explanation of GDPR

GDPR (General Data Protection Regulations) passed into EU law in May 2018, with the intention of updating previous laws tasked with protecting the personal information of EU data subjects in line with the internet age.

GDPR has ultimately resulted in a fairly extreme change to how businesses and organisations are permitted to handle personal information belonging to individuals and offers those individuals more knowledge and control over who they give such information to, and how it is used.

The onus now falls on the business or organisation requesting or capturing personal data from individuals to seek explicit consent to do so and to provide clear explanations for their reasons. Businesses must also handle, store and process said personal data in a certain manner.

What is a “legitimate interest?”

Under the GDPR framework, there are six lawful bases under which businesses and organisations may collect and process the personal data of third parties.

In order to collect, store, process and use the personal data of EU data subjects, you must have a valid lawful basis for doing so, and you must choose the most appropriate of these six bases as it relates to the scenario at hand.

The legitimate interest GDPR basis is perhaps the broadest of the six, and the one most open to interpretation, and most likely to be used for data processing that doesn’t fit neatly within one of the other five categories.

The legitimate interest GDPR basis is cited on the ICO’s website as “the most flexible lawful basis for processing,” but this does not mean that it will always be the most appropriate for your purposes.

The benchmark test for legitimate interest GDPR compliance

A legitimate interest for the purposes of GDPR must fulfil three criteria, being:

  • The identification of a legitimate interest behind the processing
  • A necessity to process the information required to fulfil the legitimate interest
  • Is the rights and freedoms of the individual data subject overridden by the legitimate interest?

So, what constitutes a legitimate interest?

A legitimate interest can be the interests of yourself or your business, if the processing of personal data is necessary to achieve this, and there is not a less intrusive way of gathering the information required.

The interests of the business must be weighed against the individual’s rights and freedoms; and if your data subject could not reasonably be expected to know and approve their information being processed (assuming that direct consent was not requested or given), or if doing so might cause them unjustified harm, then this will override the legitimate interest basis.

GDPR legitimate interest examples

As mentioned, the legitimate interest GDPR basis is somewhat open to interpretation, but it is not a free pass to gather personal data for all purposes without due consideration for the remit of the law.

A good touchstone to use to compare the validity of a legitimate interest to the rights of the data subject is to ask yourself, “would the data subject reasonably expect us to hold and use this data, and be happy for us to do so?” If the answer to this is “no,” your legitimate interest claim won’t stack up.

Here are some GDPR legitimate interest examples that can help you to identify a legitimate interest:

Scenario one: To respond to a customer enquiry

One of the most unambiguous situations in which the legitimate interest GDPR legal basis may be used is to fulfil an enquiry from a prospect. This does not require direct consent to hold and process the personal data supplied, as the prospect would have a reasonable expectation of you doing so by virtue of having made their request.

For example, if a prospect asked for more details about a product or service and filled in a contact form or provided other contact details, the information they provide can be used to respond to their enquiry.

Scenario two: Where necessary to protect the business’s interests

If the actions of a third party has a negative impact on your business – such as a client failing to pay a bill on time – you would be within your rights to process that third party’s information in order to ensure that you get paid.

Scenario three: For personalisation

In some situations, personalisation can be considered to be a valid legitimate interest, such as by the use of consumer insights to personalise the ads served or products showcased to a visitor on your website. Improving the customer experience in a non-intrusive manner can be considered a valid use of legitimate interest.

Scenario four: To add value

If your use of personal data adds value for the data subject, this also constitutes a legitimate interest. For instance, to advise an existing customer about the upcoming end of contract, or the need to renew a subscription.

In a situation such as this, using the legitimate interest GDPR basis adds value for the client, because it negates the need to bother them repeatedly for approval to inform them about situations that are directly relevant to them, and that are in their best interests.

Scenario five: Necessity in the interests of accurate record keeping

Imagine that a customer cut or injured themselves whilst on your premises; an employee assists them or administers first aid, and an incident report or accident report needs to be completed to reflect this and to safeguard the business.

Capturing personal details in this type of situation would fall under the legitimate interest basis too.

GDPR legitimate interest direct marketing applications

The GDPR legitimate interest examples given above cover a broad range of applications, but the use of legitimate interest for marketing purposes is perhaps one of the most confusing.

Under the remit of the GDPR, legitimate interest direct marketing applications are actually outlined within the framework itself, which states that: “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”

However, the key term here is “may be regarded,” which again, means that you cannot simply decide that legitimate interest is an appropriate catch-all to permit all manner of marketing endeavours under the remit of your legitimate interest; because your prospects might not reasonably expect this and agree to it if given the option.

Here are a couple of scenarios within which the legitimate interest GDPR basis could fairly apply to marketing endeavours:

Scenario one: to send marketing or promotional materials to a current supporter

If you already hold a GDPR-compliant database of people who have opted in or otherwise given permission for marketing communications, sending a new promotion for a similar product to those prospects would constitute legitimate interest.

Because those parties already opted in or otherwise indicated support of your use of their data previously, legitimate interest may be used for future communications in the same manner, such as where seeking the consent from each individual party every time to receive new communications is unviable.

All bets are of course off if a prospect has previously opted out or explicitly withdrawn their consent for this!

Always perform the benchmarking test before assuming that legitimate interest and a previously established relationship gives you carte blanche to market to your existing prospects; lest you fall into the same trap as Honda and Flybe.

These two firms were jointly fined over £80,000 by the ICO for continuing to send marketing communications to people who had already specified that they did not wish to receive them.

Scenario two: Data analysis for market research

The transfer or processing of data for analysis – such as when used as part of market research – falls under the remit of legitimate interest, providing that its processing will not have a negative impact on the data subject, and there is a reasonable expectation that it will benefit the business.

For instance, if the processing of said data will assist the business in fine-tuning its marketing or customer service without being invasive or having a negative impact upon the data subject, this would meet the benchmark of the appropriate use of legitimate interest.

These two scenarios provide some examples of compliant GDPR legitimate interest direct marketing applications, but the full remit of potentially acceptable scenarios is much broader, and can all be used as long as your intentions and activities tick all of the right boxes.

On which note…

And finally: A simple legitimate interest GDPR checklist

If you want to make sure you’re covering all of your bases when choosing legitimate interest as the basis for collecting and processing personal data, here is a simple checklist:

  • If your legitimate interest assessment indicates a significant privacy impact for the data subject, make sure you have explored whether or not you need to conduct a data protection impact assessment.
  • Your use of personal data is not intrusive or harmful to the individual without a strong and unambiguous reason necessitating this and making it unavoidable; such as for the legal pursual of a bad debt.
  • Always apply the three-step benchmark assessment process before proceeding under the legitimate interest basis – identifying the necessity of using the information, the fulfilment of a legitimate interest, and the balance between the business’s needs and the rights and needs of the data subject.
  • Don’t place your business at unnecessary risk by pushing the boundaries of what might be considered an acceptable or appropriate use of the legitimate interest basis.
  • Don’t consider legitimate interest as a free-for-all to spam prospects, dredge up historical databases of persons who would reasonably no longer expect you to be using their data, or to use as a blanket basis for your endeavours where a more relevant basis applies – or if your interest does not fall under one of the six lawful bases at all.
The information in this article is for general guidance about data protection rules and is not legal advice. We have tried to ensure that this guidance is accurate and relevant as at June 2019. However, Nominet UK will not accept liability for any loss, damage or inconvenience arising as a consequence of any use of or the inability to use any information contained in this guidance.