<img height="1" width="1" src="https://www.facebook.com/tr?id=1046809342117480&amp;ev=PageView &amp;noscript=1">

VSEC Blog: IT Security Channel News brought to you by Infinigate UK

Share the Infinigate UK Blog on LinkedIn Share the Infinigate UK Blog on Twitter Share the Infinigate UK Blog on Facebook Share the Infinigate UK Blog on Google+ Share the Infinigate UK Blog via Email

Exercising Your Legitimate Interests with the GDPR

Posted: 16 May 2018

Exercising Legitimate Interests with the GDPR and Data Protection

By now you have probably learned that the processing of personal data does not always require an act of consent. Whilst much of the internet is obsessing over consent, re-consent and double opt-in consent, you have correctly discovered that it is not the only way to legally process personal data.

The first of the GDPR's six core principles states that personal data must be processed lawfully, fairly and transparently. With the six conditions of lawful processing being described in article 6... one for the conspiracy theorists.

Six Lawful Methods of Data Processing

One such method of ensuring processing is lawful is to collect the consent of the personal data owner, or data subject. While this is attracting most of the focus in articles and blogs across the internet, consent is just one of six lawful methods and is often described as being the form of lawful processing which should only be used if one of the other five cannot be achieved.

[You may also be interested to read "The Six Commandments of the GDPR"]

The six lawful processing methods are:

  • Consent of the data subject for a specific processing activity.
  • Legitimate interests pursued by the data controller.
  • Where processing is in the public's interest.
  • Where there is a contractual necessity to process personal data.
  • Where the data controller has legal obligations to comply with.
  • Where the processing of personal data is in the vital interests of the data subject.

Whereas the last four are reserved for specific scenarios, option two or legitimate interests, has a much wider scope and avoids the need for consent, which in some cases can be difficult to attain.

The UK supervisory authority, the ICO describes legitimate interests as the lawful basis with the widest possible scope. It is defined as being a scenario where data processing is reasonably expected by the data subject; will have minimal impact on the data subjects rights and freedoms; and there is a compelling reason for processing.

Maybe of interest to most reading this blog post, marketing activities are considered lawful under the scope of legitimate interests. Yes that's right, you do not always need consent to market, however be cautious of other regulations such as the PECR.

[You may also like "MailChimp and the Curse of the GDPR"]

The ICO recommends a three stage test to see if your processing activity can be supported by the legitimate interests lawful basis.

  1. Identify your legitimate interest - Let's take the example of sending out an email to our contacts to invite them to a cool industry event we are running.
  2. Show that processing is necessary to achieve it - Speaking to each of our contacts physically would be difficult and possibly impossible, geographically. Instead we wish to process their email address and name to send them an email based invitation.
  3. Balance it against the data subjects interests, rights and freedoms - That leads us into creating a LIA (Legitimate Interests Assessment) or balancing test.

 

GDPR Legitimate Interests Assessments

LIAs or balancing tests are recommended in all cases of legitimate interests being the justifiable lawful basis for processing personal data. The local supervisory authority can ask to view or review these as part of an investigation. The basic idea is for the data controller to consider and document the impact of processing and whether this overrides the interest you have identified.

In other words, a risk assessment.

To conduct and LIA or a balancing test, document the following:

  • What is your relationship with the data subject? - Following on the from the same example above, the data subjects in question are present in our client database as we have either sold them something or we have spoken with them about our offering.
  • Is any of the personal data being processed, private or sensitive? - We are processing an email address and name; we do not believe the content to be private or sensitive.
  • Would data subjects expect you to process their personal data in this way? - Advertising to existing and prospective clients is commonplace and would likely be expected by the data subjects in question.
  • Are you happy to explain this to them? - Yes and we already include this in our publicly available privacy policy.
  • Are some people likely to object or find this intrusive? - It is not likely to be considered intrusive and anyone objecting to this processing will be provided with an unsubscribe or opt-out option in the email they are sent.
  • What is the possible impact on the data subject? - They will receive one email invite from us for an event we are organising.
  • How big of an impact might this have on them? - Not a big impact at all.
  • Are you processing childrens personal data? - No, all of our contacts are of an adult age, verified by the fact that they are an employee of a UK business.
  • Are any of the individuals vulnerable in any other way? - No.
  • Can you adopt any safeguards to minimise the impact? - We will use only name and email address to minimise the impact to data subject should the email be sent to an incorrect recipient.
  • Can you offer an opt-out? - Yes, an unsubscribe or opt-out option will be offered in the invitation email.

LIA / balancing test complete.

Polytheism in Data Protection

To conclude, consent is not the only path of lawful processing righteousness, in fact only where you cannot demonstrate one of the other five, is it recommended to pursue consensual processing. Data processing has many gods.

Ultimately, your ability to rely on legitimate interests must be demonstrated by your own good judgement on whether or not you have a genuine legitimate interest. In the eyes of the GDPR, the data subject is supreme and your right to process does not override their right to disagree.

Keep your house in order, your activities justified and your paperwork up-to-date; and you will find the GDPR will make your processing activities cleaner and ethical. After all, when the working day is over and we all return home, we become data subjects ourselves.

Data Protection GDPR for Life

Chris Payne Senior Technical Consultant, Infinigate UK
Posted by: Chris Payne
Senior Technical Consultant, Infinigate UK

 

Share via:

    

Subscribe to VSEC Blog Updates

Terms and Conditions:
  • When completing this form, you are indicating your consent for this processing activity. By doing this you are providing Infinigate UK with lawful consent to process your submitted personal data for one or both of the marketing purposes below:
    • We will use your details to send you blog updates.
    • We will match your answers to areas of interest which believe you have and may send you additional marketing materials related to those areas.
  • We will keep your personal data for nine months, upon which we will delete your personal data unless you have consented to further processing or we have legitimate interests to retain it. You are free to withdraw your consent at any time by contacting our marketing department or using one of our unsubscribe links in our communications.
  • In some cases where you indicate consent for supplying you with additional promotional marketing material, we will share your personal data with one of our reseller partners, should your areas of interest match a solution or service they provide. We instruct all our reseller partners to communicate this data transfer with data subject affected.
  • Your personal data is stored in a marketing automation solution database, access to this is limited to authorised users and all necessary steps to ensure data security is maintained.

For further information about this form, your rights under the General Data Protection Regulation or how to exercise them, please contact Infinigate's marketing department here.

Popular Posts