GDPR: consent or legitimate interests?

By Lyndsey Hall

If you’re still unsure how the new General Data Protection Regulation will effect your business’s marketing activities, we’re here to help. You can brush up on the basics of the new rules by taking a look at our blog post GDPR: a guide for business.

Consent vs. Legitimate Interests

One of the main considerations for businesses when deciding how to manage their GDPR responsibilities is whether they have an individual’s consent to store personal data and send marketing communications. However, consent isn’t the only route to remaining compliant with the new regulation. If a recipient has a potentially legitimate interest in the business’s products or services and the information being sent, then there’s no breach of GDPR.

Lawful Basis

In total, there are six possible criteria which could form a ‘lawful basis’ for processing an individual’s data. These are:

• Consent: You have clear, unambiguous consent, given by an affirmative action by the individual, to process their personal data for a specific reason (e.g. they subscribed on your website and ticked a consent box).
• Contract: You have a contract with an individual for which it’s necessary to process their personal data in order to carry out your contractual obligation to them (e.g. your clients, if you provide a professional service).
• Legal obligation: It’s necessary to process an individual’s data in order to comply with the law (e.g. your employer or landlord).
• Vital interests: It’s necessary to process an individual’s personal data to protect someone’s life (e.g. a doctor’s surgery).
• Public task: It’s necessary to process an individual’s data in order to perform a task in the public interest or for official functions, and the task or function has a clear basis in law (e.g. HMRC or the police).
• Legitimate interests: It’s necessary to process an individual’s personal data for your own legitimate interests or the legitimate interests of a third party. However, where there is good reason to protect the individual’s personal data, this will override those legitimate interests.

For most businesses, the only relevant criteria are consent, contract and legitimate interests. If you have clients whose personal data you need to handle in order to provide them with your particular service, then you’ve ticked the contract box, but what about non-clients? That depends: where did you come across them, how did you obtain their data, and what do you use it for?

Marketing and GDPR

For marketing purposes, the lawful basis for processing an individual’s data will usually be either consent or legitimate interests. If your database was collated from website and email subscribers who actively ticked a box to say they wanted to be contacted, then you’ve satisfied the consent requirement. Boxes can no longer be pre-ticked, and should also be affirmative rather than negative, i.e. they need to tick to opt in, not to opt out.

Legitimate interests are slightly more complicated and not as easy to define, but that doesn’t make it the best option in all cases. If you choose to form your lawful basis for processing data on legitimate interests, you’re taking on additional responsibility for considering and protecting people’s rights and interests, and need to be able to prove that the data processing is necessary. If you could reasonably achieve the same result without needing to handle personal data, legitimate interests won’t apply.

The legitimate interests can be your own or a third party’s, and can include commercial interests, individual interests or broader societal benefits, which gives you a wide range of options for forming your lawful basis. It could apply wherever you use people’s data in a way they would reasonably expect, and which has a minimal privacy impact, but if they wouldn’t reasonably expect you to process their data or if it would cause unjustifiable harm, the individual’s interests are likely to override yours.

You should keep a record of your legitimate interests assessment (LIA) to help you demonstrate compliance if and when required. There’s a three-part test you can use:

1. Purpose test: are you pursuing a legitimate interest?
2. Necessity test: is the processing necessary for that purpose?
3. Balancing test: do the individual’s interests override the legitimate interest?

The Information Commissioner’s Office (ICO) has a handy checklist on the website that you can download and keep to help you identify whether legitimate interests applies. The GDPR specifically mentions use of client or employee data, marketing, fraud prevention and IT security as potential legitimate interests, but this list is not exhaustive. Take a look at the ICO website for further guidance.