Ideas from the team


GDPR: Clarity on Legitimate Interest for Charities & Council Venues

Having spent the last few months talking to our clients, leaders in the arts sector and data protection experts about the upcoming General Data Protection Act, one thing we’ve heard again and again is that the regulation is difficult to interpret. Understandably, this is impacting the arts sector’s ability to make decisions about how they will comply.

But over the festive break, there’s been some movement towards much-needed clarity in a couple of areas. So what’s new?

1. Council-run and university arts organisations can likely carry out Legitimate Interest-based processing

The House of Lords has now passed an amendment to the Data Protection Bill (which will enshrine GDPR in UK law) that likely gives university and council-run organisations the ability to use Legitimate Interest as a lawful basis for processing data, including communications. This review of the amendment goes into more detail.

Up to now there has been vigorous debate about whether GDPR’s restriction on public authorities’ use of Legitimate Interest as a basis for processing applies to a commercial entity owned by a local authority or other public body. If you’re working in a university, council-run or charitable organisation, these recent developments are a positive step forward. Make sure you review your GDPR plans with this in mind.

2. The ICO is recommending that charities explore Legitimate Interest

The Information Commissioner's Office (ICO) has published a new FAQ for the charity sector. The whole document is worth a read but these points stood out for us:

  • The ICO goes into detail about the new and more stringent requirements for Consent under GDPR and explicitly recommends looking to alternative bases for processing data such as Legitimate Interest if you no longer wish to rely on Consent.
  • They further clarify that whilst some types of email require Consent, not all do and helpfully link to further guidance on how to know the difference.
  • They also state that not all organisations are required to have a Data Protection Officer and give guidance on which do.

We’ll keep watching for updates and clarifications from industry experts and the ICO and will share our thoughts as we go, so check back again soon.

For a refresher on the basic concepts behind GDPR and PECR, especially on Consent and Legitimate Interest, we recommend these earlier posts: