DP2017: Using legitimate interests legitimately

Sacha Wilson, senior associate at Bristow’s, took on legitimate interests under the GDPR and attempted to give clarity to delegates.

Why all the fuss about legitimate interest? Sacha claimed that legitimate interests is not a new concept, it exists in current legislation. However, he felt there had been a lot scaremongering around GDPR and this was contributing to climate of fear for organisations.

In his opinion this fear was misplaced and legitimate interests would be viable legal ground for a number of different marketing purposes.

But, what is a legitimate interest? Sacha explained: “There are certain purposes for which any reasonable business should be allowed to use people’s personal information without getting their permission, because it needs to do it to run a successful business these days and, provided the business is open about it, it shouldn’t upset people or cause them too much harm.”

Sacha said marketers should always think about the reasonable expectations of consumers and always ask how they would feel if they were in the customers' shoes. Noting also that the reasonable expectations principle is a point the ICO frequently reference in their enforcement cases.

When deciding whether you have a legitimate interests, there is a process to go through in order to decide whether an organisation can proceed.

The data processing must be necessary, you must have a clear legitimate interest and you’ll need to balance your organisations interests with people’s rights.

The last step is completed by carrying out a balancing test, where privacy risks to individuals are flagged up and then appropriate mitigation measures can be taken. For example, data retention periods might be a means of lowering the risk for individuals. A simple opt-out must always be offered too.

Sacha reminded delegates that they needed to be mindful of other rules for the marketing sector in the Privacy and Electronic Communications Regulations (PECR) as these prohibit the use of legitimate interest in certain contexts. For example, B2C email marketing requires an opt-in consent in order to be valid.

Sacha frequently referred to the Data Protection Network’s legitimate interest guidance during his talk, which he helped create along with the DMA. It’s available here.