When it comes to GDPR one area of concern which you may have yet to address is that of the lawful basis under which companies seek to process personal data.
Under GDPR you will be required to explain your lawful basis for processing personal data. The good news is that the lawful bases in the GDPR are broadly the same as the conditions for processing under existing legislation. It should be possible to review the types of processing activities you carry out and to identify your lawful basis for doing so.
The conditions for processing as set out in the General Data Protection Regulation are as follows:
- Where the individual whom the personal data is about has consented to the processing or
- Where it is necessary in the context of a contract or the intention to enter into a contract or
- Where processing is carried out in accordance with a legal obligation to which the controller is subject or
- Where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority or
- Where the processing is necessary in order to protect the vital interests of the data subject or of another natural person, or
- Where the legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing.
Let’s look at this last condition in more detail…
Processing under ‘Legitimate Interests’
The GDPR recognises that as a controller you may have legitimate reasons for processing personal data that the other conditions for processing do not specifically deal with. The “legitimate interests” condition is intended to permit such processing, provided you meet certain requirements.
Although legitimate interests is the most flexible lawful basis for processing, you can’t always assume that it will be the most appropriate. It is most appropriate for situations in which you plan to use people’s data in ways which they would reasonably expect. For example if you are the holder of a current account with a bank, could the bank reasonably assume that you might have a legitimate interest in a mortgage account? Probably, yes. When determining whether or not this basis should be used for processing you must ensure that the interests or the fundamental rights and freedoms of the data subject are not overridden. Take for instance a baby food manufacturer whose group also sells snacks aimed at teenagers. Could you reasonably assume that a customer of baby food might have a legitimate interest in snacks for teenagers? You might have a hard time arguing this one!
Changes under GDPR?
The biggest change is that you need to document your decisions on legitimate interests so that you can demonstrate compliance under the new GDPR accountability principle. You must also include more information in your privacy notice.
It is necessary to look at the various types of data processing carried out within your organisation and identify your legal basis for carrying out said processing and document it. This is particularly important in situations where you solely rely on consent as a legal basis for processing data.
All organisations need to carefully consider how much personal data they gather, and why. If any categories can be discontinued, do so. For the data that remains, consider whether it needs to be kept in its raw format, and how quickly you can begin the process of anonymisation and pseudonymisation.
Marketing under Legitimate Interests
Personal data can be processed for direct marketing purposes as a legitimate interest. You can rely on legitimate interests if you can show that how you use people’s data is proportionate, has minimal privacy impact, and that consumers would not be surprised or likely to object. The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.
If you choose to rely on legitimate interests, you are taking on extra responsibility for considering and protecting people’s rights and interests. You should try and avoid using legitimate interests as the basis for processing if you can’t confidently demonstrate that these rights and interests will be protected. The processing must be necessary. If you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply.