Under the GDPR, consent isn’t the only lawful basis for data processing
The European Union’s General Data Protection Regulation (GDPR) says that in order to collect and process personal data, an organization must have a “lawful basis” to do so. There are six specific ways that organizations can achieve that, and most are relatively straightforward: you’re in the clear if a data subject explicitly consents to a given use of their data, for instance, or if there’s an legal requirement for you to collect and process data in a certain way.
But there’s one lawful basis that’s simultaneously widely used and poorly understood: the “legitimate interest” basis for data usage. According to the GDPR, data processing is lawful if it is “necessary for the purposes of the legitimate interests pursued by the controller or by a third party” — unless those legitimate interests are “overridden by the interests or fundamental rights and freedoms of the data subject.”
On the one hand, the GDPR clearly suggests that organizations can lawfully use personal data if they really need to. But it also clearly says that the “legitimate interest” basis for data processing can be canceled out by the countervailing interests of the data subject. That’s a tricky needle to thread: how can organizations decide whether their interests are “legitimate,” and how are they supposed to figure out whether their interests are “overridden” by those of the data subject?
The three-part test
The GDPR doesn’t clearly explain what constitutes a “legitimate interest,” so this is something organizations have to figure out for themselves on a case-by-case basis. The GDPR offers some examples of legitimate interests, such as use of client or employee data, fraud prevention, marketing, or identifying security breaches. Still, there are no hard-and-fast rules on which organizations can rely to ensure they’re covered by a “legitimate interest” basis for data processing.
Because of that, it’s helpful to think of the “legitimate interest” basis as a process rather than simply a set of fixed criteria. To meet your obligations, you need to be able to show that you’ve weighed your own “legitimate interest” against the interests of data subjects. The British Information Commissioner’s Office suggests using a three-part test to figure out whether your “legitimate interest” claim holds water:
- First, your data processing should have a clear purpose that serves either your organization’s interests or those of a third party. The key here is to be specific: your purpose can’t simply be to process data as an end in its own right, but should be a clear goal that delivers evident benefits to your organization. For instance, a company might have a clear interest in checking that it isn’t being defrauded, or in identifying potential security threats.
- Next, your data processing should be necessary to achieve that goal. That doesn’t mean it’s the only way to achieve a certain goal, but it does mean that your data processing should be targeted and proportionate to your stated ends. If you’re trying to tackle fraud, for instance, you should only be processing data that’s directly related to that goal.
- Finally, your data processing should be balanced against the interests and rights of the data subject. It’s important to show that you’ve carefully considered your data subjects’ rights, and that you’re doing your best to minimize any potential impact on them. This is especially important if you’re handling data pertaining to children, who are singled out for special protection under the GDPR.
Such tests are in some ways more art than science. Still, conducting and documenting a formal evaluative process is vital to show that you’re properly weighing your own legitimate interests against those of your data subjects.
Expectations and objections
Besides the three-part test, there are two other important factors to consider.
First, it’s generally acceptable to process data in ways that users should reasonably expect. This doesn’t mean that a specific user has to actually expect their data to be processed in a certain way — just that a reasonable person would likely make that assumption.
Second, remember that the GDPR gives data subjects the right to object to the use of their data. That’s especially important for data processed under a “legitimate interest” rationale, when there can be grounds for differing opinions about whether data use is justified.
If a user objects to your use of their data, the onus is on your organization to demonstrate not just that you have a legitimate interest, but a compelling interest to continue processing that data. That’s a high bar to clear, especially since you could face steep fines if you improperly persist in using personal data following an objection.
Most objections result in organizations either halting data usage or deleting a user’s data. If such objections become widespread, you may need to explore using a different lawful basis to justify your data processing.
A tech solution
So is a “legitimate interest” basis right for your organization? Well, it’s certainly worth considering if you want to use data in a way that brings a clear benefit to your organization, doesn’t carry significant risk of infringing on data subjects’ privacy rights, and that data subjects should reasonably expect to occur.
Still, a “legitimate interest” rationale for data processing comes with a unique set of complexities, including documentation requirements and the need to respond quickly and effectively to objections raised by data subjects.
At Ketch, we specialize in helping organizations to formulate data policies that can be applied instantly across your entire data ecosystem, providing trackable real-time data privacy and compliance capabilities without the need to rewrite code or rebuild your tech stack. If you’re considering using a “legitimate interest” basis for GDPR compliance, get in touch today, and find out how Ketch can take your organization’s data processing to the next level.