GDPR: No consent required, but what is “legitimate interest”?
Last week I wrote about why “consent”, in many cases, will not be required from data subjects in order to process data under the GDPR.
In brief, there are many bases on which personal data can be processed under the existing and new data protection frameworks. One of the bases we consider to be most important is processing on the basis that you have a “legitimate interest” to do so. But what does this actually mean?
The term is likely to be interpreted broadly. Recital 47 of the GDPR makes it clear that a business processing personal data, without the individual’s consent, with the object of pursuing a legitimate interest may be a lawful base for processing such data provided that the rights and freedoms of the individual to which the personal data relates are not overridden by that processing. Following this, it is stated that “direct marketing” may be an interest which is considered to be legitimate.
In other words, if the fundamental rights and freedoms of an individual are not being overridden by a business sending direct marketing to individuals, for example, there will be no requirement to ask for consent to carry out this activity at the time of collecting the personal data.
However, “direct marketing” does not necessarily mean “direct email marketing”. In order to be compliant, data processors should provide an individual with the option to “opt-out” of receiving such email communications at the time of collecting the data, but there is not necessary a requirement to obtain active consent (or “opt-in”) to send marketing emails.
But isn’t it difficult to say whether something is or is not a legitimate interest? What about the potential fines the ICO may impose under the GDPR if you get it wrong?
The first thing we recommend is that you adopt a common sense approach. If you are able to show that you have considered whether or not you really do have a legitimate interest, that this is balanced with the fundamental rights and freedoms of the data subject, and that this is a reasonable conclusion to come to, you are unlikely to be in significant breach of the GDPR in respect of choosing the correct basis on which to process that personal data. Document the approach you have taken and have it signed off at board level.
Secondly, various ICO guidance and some case law, has suggested adopting the following three-step approach when considered whether or not you have a legitimate interest:
(i) Is your business interest legitimate – i.e. is what you’re doing lawful and in the interests of developing your business?
(ii) Is it absolutely necessary to take the steps you are taking in pursuing that interest? In other words, can the interest you are pursuing be achieved in another, less intrusive way?
(iii) What is the overall impact on the fundamental rights and freedoms of the data subject as a result of your actions? Can the data subject easily stop the processing if they wish? Would the data subject reasonably expect you to attempt to pursue this interest?
If you are able to show that the interest you are pursuing (for example, sending marketing emails to past customers) does not override the fundamental interest of the individual to whom you are sending those emails (for example, because they can easily unsubscribe from such marketing emails) you are likely to have a legitimate interest in doing so.
Remember, there is an absolute right to object to direct marketing under the GDPR. This means that if an individual objects to direct marketing, you must stop that processing. Make it as easy for data subjects to object as possible.