By now you have probably learned that the processing of personal data does not always require an act of consent. Whilst much of the internet is obsessing over consent, re-consent and double opt-in consent, you have correctly discovered that it is not the only way to legally process personal data.
The first of the GDPR's six core principles states that personal data must be processed lawfully, fairly and transparently. With the six conditions of lawful processing being described in article 6... one for the conspiracy theorists.
Six Lawful Methods of Data Processing
One such method of ensuring processing is lawful is to collect the consent of the personal data owner, or data subject. While this is attracting most of the focus in articles and blogs across the internet, consent is just one of six lawful methods and is often described as being the form of lawful processing which should only be used if one of the other five cannot be achieved.
[You may also be interested to read "The Six Commandments of the GDPR"]
- Consent of the data subject for a specific processing activity.
- Legitimate interests pursued by the data controller.
- Where processing is in the public's interest.
- Where there is a contractual necessity to process personal data.
- Where the data controller has legal obligations to comply with.
- Where the processing of personal data is in the vital interests of the data subject.
Whereas the last four are reserved for specific scenarios, option two or legitimate interests, has a much wider scope and avoids the need for consent, which in some cases can be difficult to attain.
The UK supervisory authority, the ICO describes legitimate interests as the lawful basis with the widest possible scope. It is defined as being a scenario where data processing is reasonably expected by the data subject; will have minimal impact on the data subjects rights and freedoms; and there is a compelling reason for processing.
Maybe of interest to most reading this blog post, marketing activities are considered lawful under the scope of legitimate interests. Yes that's right, you do not always need consent to market, however be cautious of other regulations such as the PECR.
[You may also like "MailChimp and the Curse of the GDPR"]
The ICO recommends a three stage test to see if your processing activity can be supported by the legitimate interests lawful basis.
- Identify your legitimate interest - Let's take the example of sending out an email to our contacts to invite them to a cool industry event we are running.
- Show that processing is necessary to achieve it - Speaking to each of our contacts physically would be difficult and possibly impossible, geographically. Instead we wish to process their email address and name to send them an email based invitation.
- Balance it against the data subjects interests, rights and freedoms - That leads us into creating a LIA (Legitimate Interests Assessment) or balancing test.
GDPR Legitimate Interests Assessments
LIAs or balancing tests are recommended in all cases of legitimate interests being the justifiable lawful basis for processing personal data. The local supervisory authority can ask to view or review these as part of an investigation. The basic idea is for the data controller to consider and document the impact of processing and whether this overrides the interest you have identified.
In other words, a risk assessment.
To conduct and LIA or a balancing test, document the following:
- What is your relationship with the data subject? - Following on the from the same example above, the data subjects in question are present in our client database as we have either sold them something or we have spoken with them about our offering.
- Is any of the personal data being processed, private or sensitive? - We are processing an email address and name; we do not believe the content to be private or sensitive.
- Would data subjects expect you to process their personal data in this way? - Advertising to existing and prospective clients is commonplace and would likely be expected by the data subjects in question.
- Are some people likely to object or find this intrusive? - It is not likely to be considered intrusive and anyone objecting to this processing will be provided with an unsubscribe or opt-out option in the email they are sent.
- What is the possible impact on the data subject? - They will receive one email invite from us for an event we are organising.
- How big of an impact might this have on them? - Not a big impact at all.
- Are you processing childrens personal data? - No, all of our contacts are of an adult age, verified by the fact that they are an employee of a UK business.
- Are any of the individuals vulnerable in any other way? - No.
- Can you adopt any safeguards to minimise the impact? - We will use only name and email address to minimise the impact to data subject should the email be sent to an incorrect recipient.
- Can you offer an opt-out? - Yes, an unsubscribe or opt-out option will be offered in the invitation email.
LIA / balancing test complete.
Polytheism in Data Protection
To conclude, consent is not the only path of lawful processing righteousness, in fact only where you cannot demonstrate one of the other five, is it recommended to pursue consensual processing. Data processing has many gods.
Ultimately, your ability to rely on legitimate interests must be demonstrated by your own good judgement on whether or not you have a genuine legitimate interest. In the eyes of the GDPR, the data subject is supreme and your right to process does not override their right to disagree.
Keep your house in order, your activities justified and your paperwork up-to-date; and you will find the GDPR will make your processing activities cleaner and ethical. After all, when the working day is over and we all return home, we become data subjects ourselves.