If you want to rely on ‘legitimate interests’ as a lawful basis, you must do the three-part test to assess whether it applies. This test is normally referred to as a ‘legitimate interests assessment’ (LIA) and must be done before you start the processing and, all three elements of the assessment must be cleared for it to be valid.
Depending on the nature of your operations, a ‘legitimate interests assessment’ could be a light-touch risk assessment or a full-blown Data Protection Impact Assessment, but this will be based on the specific context and circumstances.
First, identify the legitimate interest(s). Consider:
Why do you want to process the data – what are you trying to achieve?
Who benefits from the processing? In what way?
Are there any wider public benefits to the processing?
How important are those benefits?
What would the impact be if you couldn’t go ahead?
Would your use of the data be unethical or unlawful in any way?
Does the GDPR, e-Privacy Regulation or other national legislation specifically identify the processing activity as being a legitimate activity? (subject, of course to the positive outcome of a balancing test)
Second, apply the necessity test. Consider:
Does this processing actually help to further that interest?
Is it a reasonable way to go about it?
Why is the processing activity important to other parties the data may be disclosed to, if applicable?
Is there another less intrusive way of achieving the objectives?
Third, do a balancing test. Consider the impact of your processing and whether this overrides the interest you have identified:
What is the nature of your relationship with the individual?
Is any of the data particularly sensitive or private?
Would people expect you to use their data in this way?
Is there an imbalance of power between you and the individual?
Are you prepared to fully explain your use of the lawful basis to individuals?
Are some people likely to object or find it intrusive?
What is the possible impact on the individual? (both positive and negative)
How big an impact might it have on them?
Are you processing children’s data?
Are any of the individuals vulnerable in any other way? – i.e. not children
Can you adopt any safeguards to minimise the impact?
Can you offer an opt-out?
Would your organisation or a third party be prejudiced in any way if the processing does not happen?
Establishing a final balance by taking into account additional safeguards
Using privacy enhancing technologies and approaches could tip the balance in favour of the controller and protect individuals too. Safeguards include a range of compensating controls or measures which may be put in place to protect the individual, or to reduce any risks or potentially negative impacts of processing.
Identify and implement appropriate additional safeguards resulting from the duty of care and diligence such as:
data minimisation (e.g. strict limitations data collection, or immediate deletion of data after use);
technical and organisational measures to ensure that the data cannot be used to take decisions or other actions with respect to individuals ('functional separation');
wide use of pseudonymisation, aggregation of data, privacy-enhancing technologies, privacy by design, privacy and data protection impact assessments;
increased transparency, general and unconditional right to object (opt-out), data portability & related measures to empower data subjects.
You then need to make a decision about whether you still think legitimate interests is an appropriate basis. Legitimate interests will not often be the most appropriate basis for processing which is unexpected or considered high-risk. If your LIA identifies significant risks, consider whether you need to do a proper data protection impact assessment (DPIA) to assess the risk and potential mitigation in more detail. If you are not sure about the outcome of the balancing test, it may be safer to look for another lawful basis.
The LIA will help you ensure that your processing is lawful. Recording your LIA will also help you demonstrate compliance in line with your accountability obligations. Individuals also need to be informed via your privacy notices. Keep a record of your LIA and the outcome. There is no standard format for this, but it’s important to record your thinking to help show you have proper decision-making processes in place and to justify the outcome. Keep your LIA under review and refresh it if there is a significant change in the purpose, nature or context of the processing.
The content herein is provided for your convenience and does not constitute legal advice.
Compliance Technology Solutions B.V. 2018