Ideas from the team


The ICO Updates Its Guidance on GDPR

The ICO has now updated their GDPR documentation to include long-anticipated guidance on using Legitimate Interest as a basis for processing data to meet the General Data Protection Regulation (GDPR). The big update they have made is to clarify that Legitimate Interest is on the same footing as Consent. They also make it explicit that Legitimate Interest is available to Public Authorities.

This is a positive development for the sector. If you’ve been considering using Legitimate Interest as a basis for processing, you can now feel reassured that this is a viable option for virtually all data processing undertaken by most performing arts organisations. The guidance also provides concrete steps that organisations should take for using Legitimate Interest as a basis for processing data.

Here are some of the highlights.

On choosing the best basis for processing:

“You must not adopt a one-size-fits-all approach. No one basis should be seen as always better, safer or more important than the others, and there is no hierarchy in the order of the list in the GDPR.”

On Legitimate Interest as a basis:

“It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.”

On third-party sharing:

“You may be able to rely on legitimate interests in order to lawfully disclose personal data to a third party. You should consider why they want the information, whether they actually need it, and what they will do with it. You need to demonstrate that the disclosure is justified, but it will be their responsibility to determine their lawful basis for their own processing.”

On public authorities:

“Public authorities are more limited in their ability to rely on legitimate interests, and should consider the ‘public task’ basis instead for any processing they do to perform their tasks as a public authority. Legitimate interests may still be available for other legitimate processing outside of those tasks.”

Of course, when using a Legitimate Interest basis for processing, you also need to make sure that email, phone, and text message communications meet PECR requirements.

If you want to read more about GDPR, we recommend these recent posts: