Legitimately using Legitimate Interests - new guidance
11 Jul 2017
New Data Protection Network guidance shows businesses how they can use Legitimate Interests to access personal data under the GDPR from May 2018
Under the General Data Protection Regulations (GDPR) the rules around consent will tighten from May 2018.
Many organisations are looking into alternative legal grounds to lawfully process personal data, such as Legitimate Interests, as an alternative to consent.
Marketers' continued use of legitimate interests under the new laws was something the DMA and partners lobbied hard for in the EU.
In 2016, the Information Commissioner’s Office (ICO) called for the industry to work with regulators to make sure it has the guidance it needs and the Data Protection Network (DPN) answered the call.
Over the last few months the DMA has been part of the DPN's GDPR Working Group, working together to produce practical guidance for marketers on Legitimate Interests.
The Guidance has been possible thanks to contributions from the DMA team, DMA members, ISBA and representatives of some of the largest companies and institutions in the UK. The resulting guidance is designed to help organisations take Legitimate Interests from concept to practice.
Rachel Aldighieri, MD at the DMA, said: “In order to prepare for GDPR in time for May 2018, businesses need to understand how, when and why they’re able to use legitimate interest as a legal basis for contacting potential customers. According to our latest GDPR and You research, one in four marketers are concerned about the issue of Legitimate Interests under the new rules.”
According to the GDPR, organisations need to identify one of six lawful bases for the processing of personal data. In its draft guidance on consent, published earlier this year, the ICO stressed that consent should only be used when a genuine choice can be offered. If this is not possible, then other grounds for processing should be considered.
Legitimate Interests is one alternative, but it needs careful consideration. The interests of an organisation must not be outweighed by the privacy rights and freedoms of individuals, for example.
A draft of the DPN’s Guidance was submitted to the ICO in the spring and the initiative has been welcomed by both the ICO and the DPC in Ireland as an example of industry proactively supporting Regulators.
Aldighieri adds: “The ability for marketers to continue to use legitimate interest under the new laws was something the DMA lobbied firmly for, so it’s great to have guidance on this very important issue that has also been welcomed by the ICO.”
The final guidance includes:
- A template for conducting the crucial “3-stage test” – a Legitimate Interests Assessment (LIA)
- Examples of where LI might apply (subject to an LIA)
- Help on how organisations can fulfil the requirement to communicate the use of LI to individuals
Robert Bond, Chairman of the Data Protection Network and Partner & Notary Public at Bristows LLP, said: “I am delighted that the Data Protection Network and other collaborators have been able to publish this Guidance. I appreciate the work of all involved and the Information Commissioner’s Office for valuable scrutiny and comment. This Guidance will be kept under review and updated as necessary.”
If you need help preparing for the GDPR, download our GDPR checklist to help you plan.