Legitimate interests is the most flexible lawful basis for processing, but you cannot assume it will always be the most appropriate. It is likely to be most appropriate if:
* you use people’s data in ways they would reasonably expect and which have a minimal privacy impact; or
* there is a compelling justification for the processing.
The GDPR specifically mentions use of client or employee data, marketing, fraud prevention, intra-group transfers, or IT security as potential legitimate interests, but this is not an exhaustive list. It also says that you have a legitimate interest in disclosing information about possible criminal acts or security threats to the authorities.
If you want to rely on legitimate interests, you can use the three-part test, or a legitimate interests assessment (LIA), to assess whether it applies. You should do it before you start the processing.
Firstly, identify the legitimate interest(s). Consider:
* Why do you want to process the data – what are you trying to achieve?
* Who benefits from the processing? In what way?
* Are there any wider public benefits to the processing?
* How important are those benefits?
* What would the impact be if you couldn’t go ahead?
* Would your use of the data be unethical or unlawful in any way?
Secondly, apply the necessity test. Consider:
* Does this processing actually help to further that interest?
* Is it a reasonable way to go about it?
* Is there another less intrusive way to achieve the same result?
Thirdly, do a balancing test. Consider the impact of your processing and whether this overrides the interest you have identified. You might find it helpful to think about the following:
* What is the nature of your relationship with the individual?
* Is any of the data particularly sensitive or private?
* Would people expect you to use their data in this way?
* Are you happy to explain it to them?
* Are some people likely to object or find it intrusive?
* What is the possible impact on the individual?
* How big an impact might it have on them?
* Are you processing children’s data?
* Are any of the individuals vulnerable in any other way?
* Can you adopt any safeguards to minimise the impact?
* Can you offer an opt-out?
If you choose to rely on legitimate interests, you are taking on extra responsibility for considering and protecting people’s rights and interests.