The ICO (Information Commissioner’s Office) has recently published new guidance on Legitimate Interest that provides some clear and detailed examples about how you can use Legitimate Interest for different data processing activities. This new guide will help anyone currently preparing an approach to GDPR based on Legitimate Interest. And if you’re still on the fence about using Legitimate Interest, the new guidance also provides reassurance about when this legal basis is appropriate to use. Read on for a full breakdown of what it says.
Quick recap: what’s Legitimate Interest?
Legitimate Interest is one of 6 legal bases for processing individual data under GDPR. Arts marketing and fundraising has historically used Consent as a basis for processing. But with GDPR raising the bar for Consent, there's been debate about whether Legitimate Interest is actually the best basis for most fundraising and marketing processing activities in the arts. We think Legitimate Interest is likely to be the best approach for a number of reasons we explain in this blog post and in the GDPR Toolkit for the Performing Arts.
What the new guidance says
The guidance says that Legitimate Interest and not Consent, is often the best basis for activities which cause no harm and are reasonably expected. This is something that the ICO has said before, but this provides further reassurance. The guidance also provides concrete advice and practical examples of instances when you might use Legitimate Interest that will support you in compliance. Here’s a summary of the key advice.
Key advice from the guidance
1. Sharing data with third parties under Legitimate Interest is possible
The guidance says that you may be able to rely on Legitimate Interest in order to lawfully disclose personal data to a third party and that “You should consider why they want the information, whether they actually need it, and what they will do with it. You need to demonstrate that the disclosure is justified, but it will be their responsibility to determine their lawful basis for their own processing.”
2. Marketing activity can rely on Legitimate Interest
If you were worried Legitimate Interest wasn’t possible for continuing to market to your audience, the guidance says: “You can rely on legitimate interests for marketing activities if you can show that how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object.”
3. Public authorities can use Legitimate Interest for purposes outside their tasks as a public authority
The guidance says: “If you are a public authority, you cannot rely on legitimate interests for any processing you do to perform your tasks as a public authority. However, if you have other legitimate purposes outside the scope of your tasks as a public authority, you can consider legitimate interests where appropriate. This will be particularly relevant for public authorities with commercial interests.”
4. It outlines the benefits of Legitimate Interest over Consent
Firstly, it explains that because Legitimate Interest is not purpose-specific, it is particularly flexible and it may be applicable in a wide range of different situations. It can also give you more ongoing control and security over your long-term processing than Consent.
Secondly, it also promotes a risk-based approach to compliance as you need to think about the impact of your processing on individuals, which can help you identify risks and take appropriate safeguards. This can also support your obligation to ensure ‘data protection by design’, and help you identify when you might need to do a data protection impact assessment (DPIA).
Finally, it explains that using Legitimate Interest may help you avoid bombarding people with unnecessary consent requests and can help avoid what it calls “consent fatigue”. It can also, if done properly, be an effective way of protecting the individual’s interests, especially when combined with clear privacy information and an upfront opportunity to opt out.
5. It explains in detail how to use Legitimate Interest with PECR
As no conversation about marketing and data protection regulation is complete without understanding PECR (Privacy and Electronic Communications Regulations), it is helpful that the guidance explains that Legitimate Interest is likely to be appropriate for solicited or unsolicited marketing for post, phone calls where there’s no Telephone Preference Service objection, emails and text messages obtained using soft opt-in and emails to business contacts (see p.29 of the guidance for more).
How to apply this guidance in practice
We’re also offering 20-minute consultation on GDPR at no charge. Email firstname.lastname@example.org to book your place.
We’re here to help you prepare for GDPR as much as possible, but we can’t offer legal advice and none of the information we provide should be taken as such. We strongly recommend taking your own legal advice before committing to any decision regarding GDPR.