Having a lawful basis to process personal data is nothing new and is covered under the Data Protection Act 1998. However, from 25th May this will be replaced under Article 6 of the GDPR (see our recent introduction to GDPR for more information). There remain six lawful basis in which an organisation can process personal data and at least one of these must apply:
- Consent – the individual has given clear consent for you to process their personal data for a specific purpose.
- Contract – the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
- Legal obligation – the processing is necessary for you to comply with the law (not including contractual obligations).
- Vital interests – the processing is necessary to protect someone’s life.
- Public task – the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Legitimate interests – the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests (this cannot apply if you are a public authority processing data to perform your official tasks).
Consent
- No more pre-ticked boxes
- No more making consent a precondition of a service
- Consent should be separate from business terms and conditions
- Separate consent for different things, one box doesn’t fit them all
- Make it easy for an individual to withdraw consent at any time
- Keeping a record of when and how an individual gave consent
- You must include the name of your organisation and any third party controllers who will rely on their consent
- You must provide details of why you want the data and what you will do with it
Legitimate interests
Legitimate interest is the most appropriate lawful basis for processing an individual’s data when it would be reasonably expected, or when there is clear justification for it. You must include details of your legitimate interests in your privacy policy. Although this is again covered under previous legislation, the GDPR now means you must document your decisions on legitimate interests in order to demonstrate GDPR compliance. It’s important that leading up to 25th May 2018 you review your privacy policy and you communicate it to affected individuals.
Examples of legitimate interests
- Suppression – when an individual opts out or unsubscribes from marketing communications you may need to retain some personal information such as, email addresses and mobile numbers to ensure that the individual is excluded from future marketing campaigns.
- Personalisation – a retail firm may rely on consent in order to send out marketing communications, but it may use legitimate interests in order to personalise the products or services it offers to customers.
Three-part legitimate interests test (sometimes called legitimate interests assessment or LIA)
- Identify the legitimate interest – are you pursuing a legitimate interest?
- Necessity test – is the processing necessary for that purpose?
- Balancing test – do the individual’s interests override the legitimate?