Within the General Data Protection Regulation (GDPR) organisations are required to specify one of six lawful bases for processing data.
Some of these lawful bases are more objective and indisputable than others and some require more work to implement than others. The list has been arranged in the order of this authors opinion of preference:
- Legal obligation – if you have a lawful reason for processing and can state what this is, it is clear and indisputable.
- For the performance of a contract in which the data subject is a party – contractual obligations are also clear and indisputable.
- To protect the vital interests of a data subject – if processing may protect an individual or save a life, this is a strong justification for processing data.
- For tasks carried out in the public interest – this may concern things like environmental analysis or the detection of criminal behaviour, which is a more subjective judgement. This is one of the two lawful bases to which data subjects can object.
- Legitimate Interests – this processing may be to benefit your company or a third party, but this is also a subjective judgement and open to objection by data subjects.
- Data subject consent – this is a strong lawful basis to have, but requires the most effort, evidence and change control to adhere to the strict standards for informed consent.
Depending on the circumstance, you may be able to market to people under legitimate interests, or you may need to use consent.
In general, legitimate interests will apply where the processing might reasonably be expected by the data subject and where its impact on the data subject’s privacy is not significant. It may also apply where there is a strong, justified reason for the organisation to carry out the processing.
To mitigate the subjective nature of legitimate interests, a three-part test should be applied which can demonstrate:
- The precise nature of the legitimate interests (the Purpose test)
- That the processing is necessary for the legitimate interests (the Necessity test)
- That the data subject’s interests, rights and freedoms do not override the organisation’s legitimate interests (the Balancing test)
All three tests are still subjective though, so care should be taken that a fair and balanced approach is used, and a reasonable, defensible conclusion is drawn. Legitimate Interest Assessment templates are available online.
This level of due diligence will provide some protection where objections to processing are received, but moreover, it moves organisations into a position where they are embracing the spirit of the law not just the letter of the law. When we start debating whether we really need to process this data or whether we can get the same benefits from processing less data at less risk, this is the start of a cultural shift toward ethical use of data