Many people in the cultural sector and beyond believe that, under the new GDPR regulations, consent is the only basis for keeping or using personal data. Indeed, the overwhelming belief that consent is the ‘silver bullet’ for complying with GDPR led Elizabeth Denham, the Information Commissioner, to publish a blog post arguing the exact opposite.
Under GDPR there are in fact six important legal bases upon which your organisation would be allowed to base its decision to keep or use personal data:
- Consent – The person has consented to you keeping or using their data.
- Contractual – Keeping or using someone’s personal data is required to fulfil a contract between them and your organisation.
- Legal Obligation – Your organisation needs to keep or use personal data in order to comply with the law.
- Vital Interests – Keeping or using someone’s personal data is necessary to protect the vital interest of them or somebody else.
- Public Task – Your organisation needs to keep or use someone’s personal data to perform a task that is in the public interest.
- Legitimate Interests – It is in your organisation’s and the person’s legitimate interests for your organisation to keep or use their personal data.
Apart from consent, the one that will likely affect your organisation the most (but is perhaps the least understood) is the last one: legitimate interests. In this article, I’ll aim to provide you with a little understanding of what legitimate interests is and how it can form the basis for your organisation to keep and use personal data.
Legitimate interests – Legitimately interesting
The jargon-filled official explanation of legitimate interests in GDPR is as follows:
‘Processing will be lawful if it is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of Personal Data, in particular where the data subject is a child.’
Essentially, this means that you are allowed to keep or use personal data as long as you have identified why using personal data is in your organisation’s interests and using the personal data does not infringe upon the interests of the person that the data belongs to. You’re allowed to use legitimate interests as the reason for processing data when none of the other reasons I’ve described above are viable, or when legitimate interests is the best reason to process it.
So the thing to take away is that legitimate interests is about the balance between the interests of your organisation (the Data Controller) and the rights and freedoms of the person who the data belongs to (the Data Subject). So how do you assess this balance? By undertaking a three-stage test known as a Legitimate Interest Assessment (LIA):
1. Identify a Legitimate Interest
You must identify the purpose for using or keeping the personal data and why it is important to your organisation.
2. Carry out a Necessity Test
You must consider whether your organisation actually needs to use or keep the personal data to meet its objectives.
3. Carry out a Balancing Test
You need to evaluate whether keeping or using the data goes against the interests of the data subject.
Keep it clear and simple
Under GDPR, people have the right to be informed about how their data is being processed. If your organisation wants to rely on legitimate interests as the basis for processing personal data, then you must inform your customers that you are processing their data on that basis. You also need to let them know what legitimate interests are and also notify them of their right to object to processing their data on these grounds. The information you give people must be explicit, clear and separate from other information.
A very comprehensive guide to legitimate interests, including example Privacy Notices and an LIA template, is published here by the Data Protection Network.