In detail

Is this a big change?

No. The role of legitimate interests as a potential lawful basis (or condition) for processing is not new. Legitimate interests was one of the conditions for processing under the 1998 Act and the wording of this provision is similar:

1998 Act:

“The processing is necessary for the purposes of legitimate interests pursued by the data controller…

…or by the third party or parties to whom the data are disclosed, …

…except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.”

 

 

GDPR:

“processing is necessary for the purposes of the legitimate interests pursued by the controller…

…or by a third party, …

…except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

There are some differences in wording, but the three key elements of the concept of legitimate interests remain the same:

  • a legitimate interest;
  • a necessity test;
  • a balance with individuals’ interests, rights and freedoms.

The main changes instead arise out of the way legitimate interests interacts with new accountability and transparency requirements. There is also a bigger change for public authorities, who are more restricted in when they can rely on legitimate interests.

How is the wording different?

While the key elements remain the same, there are some small changes to the detail.

Legitimate interests that are relevant are no longer limited to your own interests or those of third parties to whom you disclose the data. You can now consider the interests of any third party, including the wider benefits to society.

Under the 1998 Act, the processing impact had to be unwarranted due to prejudice to the individual’s interests before it would override your legitimate interests, ie the provision implied a focus on demonstrable harm. However, prejudice is not a term used in the GDPR version of the provision, and it’s clear that this is intended to be wider than a pure harm-based assessment. For example, Recital 47 indicates that if the individual does not reasonably expect the processing, their rights may override your legitimate interests.

The provision also highlights children’s data as requiring special consideration. If your processing includes children’s personal data, you must give particular weight to protecting their data and ensure that you properly consider their interests and their rights and freedoms. For further information see the section on children’s personal data and legitimate interests.

What else is new?

The GDPR brings in new accountability and transparency requirements.

Under the new accountability principle you need to be able to show that you have a lawful basis for each processing operation. If you are relying on legitimate interests, you need to document your assessment of how it applies to the particular processing, and ensure that you can justify your decision if necessary.

As the application of legitimate interests is not always self-evident, documenting your assessment of legitimate interests is particularly important in helping you to demonstrate compliance under the accountability principle.

Under transparency requirements you must inform individuals upfront which lawful basis you are relying on. If you are relying on legitimate interests as your basis, you must also tell individuals what these legitimate interests are. See the section on what do we need to tell people for further information.

The ability of public authorities to rely on legitimate interests is more limited under the GDPR – for more information see the section on can public authorities use legitimate interests.

What are the key steps to take to prepare for the GDPR?

You must ensure that you bring any processing of personal data already underway into conformity with the GDPR prior to 25 May 2018. As part of this exercise, you need to review your existing processing operations and conditions for processing, and take steps to ensure that you meet the accountability and transparency requirements of the GDPR.

If you were relying on legitimate interests as your condition for processing under the 1998 Act, in many cases you are able to continue to rely on this as your basis for processing under the GDPR.

However you must check whether legitimate interests remains the most suitable basis for your processing. This is your chance to ensure that you have selected the most appropriate basis (or bases). If you find at a later date that the legitimate interests basis was inappropriate, it is difficult to retrospectively swap to a different basis that you did not initially identify as this would lead to breaches of the accountability and transparency provisions.

If you wish to continue relying on legitimate interests, you need to make sure that you can demonstrate that it applies, in line with the approach set out in this guidance.

In order to the meet the accountability requirements you should document your decision and the factors you took into account.

You must also update your privacy information to clearly say that you are relying on legitimate interests as your lawful basis, and say what your legitimate interests are.

Further reading - ICO guidance

Lawful basis for processing

Right to be informed

Can we move to legitimate interests from a different basis under the 1998 Act?

Yes. If you discover that your existing basis (or condition) for processing under the 1998 Act is inappropriate under the GDPR, or you decide that legitimate interests is actually more appropriate, then you can choose to swap to legitimate interests.

If for example you have been processing on the basis of consent but you find that your existing consents do not meet the GDPR standard, and you do not wish to seek fresh GDPR-compliant consent, you may be able to consider legitimate interests instead. However you must be confident that you want to take responsibility for demonstrating that your processing is in line with people’s reasonable expectations and that it wouldn’t have an unjustified impact on them.

You must still ensure that your processing is fair. If you wish to move from consent under the 1998 Act to legitimate interests under the GDPR, you need to ensure that you clearly inform individuals of the change in your privacy notice. To ensure there is no unjustified impact on their rights, you should consider giving them a clear chance to opt out, and retaining any preference controls that were in place.

You also need to inform individuals of their right to object to processing based on legitimate interests (although this is not an absolute right in most cases).