Legitimate interests – a burden lifted?

Have you seen the guidance from the ICO on grounds for processing data? This is highly significant from a law firm’s perspective as it clarifies the situation on using Legitimate Interests as a ground for processing data.

Much of the guidance revolves around the conducting of electronic business to business marketing, which will of course be of significance to many firms operating in the commercial sphere. This announcement however related to one of the biggest hurdles that a firm has to overcome to ensure compliance.

Request a free, no obligation meeting

How it is going to deal with stored data?

The current situation has been that to be able to process data you have to have the consent of the data subject.
Processing data includes its destruction. This has proved a major concern for firms with stored files going back many years, as the physical difficulties with methodical mass destruction prior to the date may seem insurmountable, and the logistics of contacting all the relevant data subjects for their permissions, and receiving their positive opt-ins which are equally challenging. And of course, you are no longer permitted to solicit subjects for consent post May 25, 2018.
But the landscape has changed and with the latest guidance which has helped to define much more clearly the grounds for using Legitimate Interests (LI) as a basis for Processing.
It goes into the possible scenario where legitimate interests will provide a lawful processing basis quite comprehensively:

How do we put this into practice?

There are three elements to the Legitimate Interests basis and it helps to think of this as a test. You need to:

  • The LI’s can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.
  • The processing must be necessary. If you can reasonably achieve the same result in another less intrusive way, LI will not apply.
  • You must balance your interests against the individual’s. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your LI’s.
  • Keep a record of your LI assessment (LIA) to help you demonstrate compliance if required.
  • You must include details of your LI in your privacy information.

So, does the above mean that we can all relax about this issue?

Well yes and no. Whilst practices have been given an escape route it is not necessarily in a straight downhill line.

The advice goes on to recommend that comprehensive checklists are deployed and their example is set out below. You will need to ensure that the thinking and processing behind each separate limb of the checklist is properly considered and documented so that it forms a viable audit trail to the conclusions you reach in justifying LI as a basis for processing. Remember that different criteria apply if you are processing special category data.

  • We have checked that legitimate interest is the most appropriate basis.
  • We understand our responsibility to protect the individual’s interests.
  • We have conducted a legitimate interest assessment (LIA) and kept a record of it, to ensure that we can justify our decision.
  • We have identified the relevant legitimate interests.
  • We have checked that the processing is necessary and there is no less intrusive way to achieve the same result.
  • We have done a balancing test, and are confident that the individual’s interests do not override those legitimate interests.
  • We only use individuals’ data in ways they would reasonably expect, unless we have a very good reason.
  • We are not using people’s data in ways they would find intrusive or which could cause them harm, unless we have a very good reason.
  • If we process children’s data, we take extra care to make sure we protect their interests.
  • We have considered safeguards to reduce the impact where possible.
  • We have considered whether we can offer an opt out.
  • If our LIA identifies a significant privacy impact, we have considered whether we also need to conduct a DPIA.
  • We keep our LIA under review, and repeat it if circumstances change.
  • We include information about our legitimate interests in our privacy information.

The conundrum that has been taxing the collective thinking of the profession over the past few months might now prove more easily soluble than it appeared to be the case until now. However, firms must always bear in mind the fundamental principles of processing; that processors should ensure that they gather only as much data as is absolutely necessary for the legitimate purpose and that it should not be kept for any longer than is absolutely necessary.

It also needs to be demonstrated that no other more suitable grounds for processing could be identified.  It is vital that the exercise balancing a subjects’ interests with firm’s interests described in the advice is carried out, and documented, punctiliously. Lastly it will of course be prudent to seek new subjects’ consent to process at the outset of the relationship.

Request a no obligation GDPR meeting

Needless to say, that the GDPR now tests all Law firms UK wide, with no exception and all need to be prepared and very importantly aware of the detail. For more information and a free no obligation meeting contact us