GDPR myths and realities – legitimate interests and consent
In many ways, the GDPR is not very different to the Data Protection Act. This is true for the requirement to justify which of the six lawful “basis for processing” you are relying on to legitimise the processing (activity) in question.
Some have been, and remain clear: in life or death situations, I need to process your personal information to protect your vital interests (Art 6(1)(d). If I present you with a contract, and it explains why I need your personal information to fulfil the contract, and you sign it, then clearly I can process your information (Art 6(1)(b)). If the law says I have to collect or share your information, then I have no choice (and neither do you) (Art 6(1)(c)). Or your information could be needed so that government or others can carry out their duties in the public interest (Art 6(1)(e)).
To comply, you need to be clear which one of the six lawful “basis for processing” (reasons for doing anything with personal information) legitimises the processing activity in question.
The difference with GDPR is that you really need to know the basis of lawful processing, in detail, for each activity. This is because:
(1) You have to tell people the legal basis for processing (Art 13(1)(c).
You need to consider what you tell people at the point you collect their information, and what further information goes elsewhere (e.g. in a privacy notice, or other communication).
(2) Many of the rights that individuals have under GDPR are governed by the lawful “basis for processing.”
For example, an individual can:
Knowing which lawful “basis for processing” you are relying on for each purpose you process personal information for, will be critical to managing GDPR compliance.
Legitimate consent interests?
There are six lawful “basis for processing” – listed in Article 6.
Four are listed above. Consent is one of six. So is legitimate interests. You must allocate one on to each processing activity.
Yet there has often been confusion over consent and legitimate interests. When the ICO herself dedicates one of her myth busters to the topic - Consent is not the ‘silver bullet’ for GDPR compliance – you know there is widespread concern about misunderstanding.
In last place, consent…
Over the years, people have often been given a false sense that they have complete control over their personal information by being asked to “consent.” Yet often, we need to process their information – their agreement is not important. (E.g- I might not agree to payroll telling HMRC what I’ve earnt each month, but it’s going to happen whether I like it or not!). It would happen even if the person refused or withdrew their “consent.”
Sometimes, lack of consent actually means something more significant – we would not (indeed, sometimes cannot) actually provide the service or process the application without their information; there is no real choice beyond “take it or leave it!”
The ICO’s GDPR Consent Guidance – which the ICO says is unlikely to change significantly in its final form – gives us a clear steer on what consent means in practice: you need consent “when no other lawful basis applies.” You should try and rely on one of the other five basis, before resorting to consent. This is because collecting and maintaining GDPR-standard consent is difficult.
For example, the GDPR requires that you maintain records of consent, and that you make it as easy for someone to withdraw their consent as it is to give it. The ICO sums up the changes as reflecting a “more dynamic idea of consent: consent as an organic, ongoing and actively managed choice, and not simply a one-off compliance box to tick and file away.”
A note on Direct Marketing
For sending electronic Direct Marketing messages you have no choice: you have to rely on consent. This is because you have to comply with two laws at the same time: the GDPR and the Privacy and Electronic Communication Regulations (PECR).
The PECR states you need consent to send electronic Direct Marketing messages, this removes your choice under the GDPR.
However, this does mean that for non-electronic direct marketing – i.e. post – you do still have that choice because you are only complying with the GDPR (and only have to rely on one of the six basis).
‘Legitimate interests’ is not a given – it requires an assessment
Legitimate interests can cover a great variety of activities, because it is based on an assessment of your needs (the needs of the organisation) and the interests or fundamental rights and freedoms of the individual whose information you are processing to fulfil that need.
But it’s not a simply tick-box exercise: to rely on legitimate interests as your basis for processing you need to undertake an assessment. What is your interest? Why is it necessary to process the personal information to fulfil it? What are the individual’s interests, rights and freedoms? Why do you conclude these don’t override your interests?
This assessment should be kept on file.
You must make the assessment (or a summary of it) available to people, when they provide their personal information to you (Art 13(1)(d)).
Protecture has developed a Legitimate Interests Assessment Tool for its subscribers.
A note for public authorities
The GDPR states that public authorities cannot rely on legitimate interests when processing personal information as part of their public tasks. As mentioned above, they shouldn’t need to, because they have the “public interest” basis for processing, to rely on.
A note for public authorities that have charitable teams / functions.
For public authorities such as universities and NHS charities, that process personal information for both their public tasks and charitable aims, the government (DCMS) and ICO have confirmed they can still use legitimate interests. They can reply on legitimate interests for any processing that is not carried out as a requirement for their public duties. These are classed as “hybrid” authorities – doing both public functions and other functions.
Pros and cons: consent vs legitimate interests.
The big difference is how you manage your relationship with the individual.
If you seek their consent, and they subsequently withdraw their consent, that action is absolute – no debate. You no longer have a basis for processing their information so must stop immediately. It may mean, that if you have asked for consent to store the data and consent is withdrawn, you must delete the data without delay.
It is also worth noting that consent doesn’t last forever – you need to have a clear process for deciding when to review consent. The process must outline when and how to refresh it, so it remains an informed and unambiguous indication of their wishes.
If you rely on legitimate interests, then they can object – but you can defend your position; you can assess, on a case-by-case basis, the concerns raised by the individual. You can consider their particular situation (Art 21(1)). You could conclude, having considered the objection and particular circumstances, that your legitimate interests still justifies the processing in question.
What to do now