GDPR, lawful processing, consent and legitimate interest

41 minute read

2 of the most frequent questions we are asked regarding GDPR relate to the conditions of ‘Consent’ and ‘Legitimate Interest’. In this blog post I’ll look at what the GDPR says and, with the help of the ICO’s guidance, explain what this really means. Self-assessment is an important part of GDPR so I’ve also included 3 really useful checklists (again taken directly from the ICO guidelines) designed to help you formulate and apply these concepts.

In order to help clarify these questions this blog post extracts the relevant information directly from the GDPR text itself and from the guidance given by the ICO (The Information Commissioners Office). Search online and you’ll find lots of other comment and interpretation, but as the Regulations themselves and the guidance of the Data Protection Authority in place (in the UK) to enforce them, there should be no more definitive reference than the content included here.

Sources

The GDPR – transcipts of the GDPR text can be found online but one of the easiest to follow can be found here.

===================================================================================================
“Extracts taken directly from the GDPR text are shown in italics in grey like this…”
===================================================================================================

The ICO Guidance – much of the remainder, including the checklists (look for the sections marked as  * * * * * * ), is taken directly from the ICO’s online guidance on GDPR. In many areas there is more information available than is replicated here, so please refer to the original ICO source for further information.

Personal data and Data Processing

Firstly, just to set the scene. Although marketers are very right to be aware of it GDPR is not about marketing. It’s about data and data protection. At its heart are 2 concepts – that of ‘personal data’ and the ‘processing’ of it. So let’s deal with these first.

What the GDPR says on ‘personal data’

===================================================================================================
“‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”
===================================================================================================

What the GDPR says on ‘data processing’

===================================================================================================
“‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;”
===================================================================================================

Lawful processing

From the above it’s clear that ‘processing’ can take many forms. Whatever that processing may be, another fundamental of GDPR is that any processing of personal data needs to be lawful. It goes on to describe in detail what ‘lawful’ means and then to define 6 categories (or ‘bases’) within which data processing would be considered lawful – namely consent, contractual, legal obligation, vital interest, public interest and legitimate interest.

What GDPR says on ‘lawful processing’. 

===================================================================================================
“Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.”
===================================================================================================

Guidance from the ICO

GDPR requires that personal data shall be

– processed lawfully, fairly and in a transparent manner in relation to individuals;
– collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
– adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
– accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
– kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
– processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

What GDPR says on the 6 bases for lawful processing

===================================================================================================
“In order for processing to be lawful, personal data should be processed on the basis of the consent of the data subject concerned or some other legitimate basis… Processing shall be lawful only if and to the extent that at least one of the following applies.
– The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
– Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
– Processing is necessary for compliance with a legal obligation to which the controller is subject;
– Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
– Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
– Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject…”
===================================================================================================

Guidance from the ICO

Here’s a summary of some of the ICO guidelines on lawful processing – there are more, so it’s worth checking out the reference at the end of this post for further reading.

– You must have a valid lawful basis in order to process personal data. Of the six defined, no single basis is better or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the individual.
– Most lawful bases require that processing is necessary. If you can reasonably achieve the same purpose without the processing, you won’t have a lawful basis.
– You must determine your lawful basis before you begin processing, and you should document it. Take care to get it right first time – you should not swap to a different lawful basis at a later date without good reason.
– Your privacy notice should include your lawful basis for processing as well as the purposes of the processing.
– If your purposes change, you may be able to continue processing under the original lawful basis if your new purpose is compatible with your initial purpose (unless your original lawful basis was consent).

Checklist – Lawful Processing

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * 
☐ We have reviewed the purposes of our processing activities, and selected the most appropriate lawful basis (or bases) for each activity.
☐ We have checked that the processing is necessary for the relevant purpose, and are satisfied that there is no other reasonable way to achieve that purpose.
☐ We have documented our decision on which lawful basis applies to help us demonstrate compliance.
☐ We have included information about both the purposes of the processing and the lawful basis for the processing in our privacy notice.
☐ Where we process special category data, we have also identified a condition for processing special category data, and have documented this.
☐ Where we process criminal offence data, we have also identified a condition for processing this data, and have documented this.
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * 

Consent

In many ways, the new rules on consent simply bring this concept closer in to line with those of ‘permission’ marketing. Anyone who is already practicing a robust permission-based email marketing strategy will have little more to do in order to comply with the new definitions of consent which GDPR brings.

What the GDPR says on ‘Consent’

===================================================================================================
On consent
“Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;”

On how consent can be given…
“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.”

On how consent should be demonstrable…
“Where processing is based on the data subject’s consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation. In particular in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given. In accordance with Council Directive 93/13/EEC) a declaration of consent pre-formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.”

On how consent cannot be ‘bundled’…
“In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation. Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.”

On the need to re-establish consent already gained…
“Directive 95/46/EC should be repealed by this Regulation. Processing already under way on the date of application of this Regulation should be brought into conformity with this Regulation within the period of two years after which this Regulation enters into force. Where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation, so as to allow the controller to continue such processing after the date of application of this Regulation. Commission decisions adopted and authorisations by supervisory authorities based on Directive 95/46/EC remain in force until amended, replaced or repealed.”

And on how consent may be withdrawn…
“The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.”
===================================================================================================

Guidance from the ICO

Here’s a summary of some of the ICO guidelines on consent –  again, there are more, so it’s worth checking out the reference at the end of this post for further reading.

– The GDPR sets a high standard for consent. But you often won’t need consent. If consent is difficult, look for a different lawful basis.
– The GDPR is clearer that an indication of consent must be unambiguous and involve a clear affirmative action (an opt-in). It specifically bans pre-ticked opt-in boxes. It also requires individual (‘granular’) consent options for distinct processing operations. Consent should be separate from other terms and conditions and should not generally be a precondition of signing up to a service.
– Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build customer trust and engagement, and enhance your reputation.
– Check your consent practices and your existing consents. Refresh your consents if they don’t meet the GDPR standard.
– Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent.
– Explicit consent requires a very clear and specific statement of consent.
– Keep your consent requests separate from other terms and conditions.
– Be specific and ‘granular’ so that you get separate consent for separate things. Vague or blanket consent is not enough. Be clear and concise.
– Name any third party controllers who will rely on the consent.
– Make it easy for people to withdraw consent and tell them how.
– Keep evidence of consent – who, when, how, and what you told people.
– Keep consent under review, and refresh it if anything changes.
– Avoid making consent to processing a precondition of a service.

Checklist – Consent

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
☐ We have checked that consent is the most appropriate lawful basis for processing.
☐ We have made the request for consent prominent and separate from our terms and conditions.
☐ We ask people to positively opt in.
☐ We don’t use pre-ticked boxes or any other type of default consent.
☐ We use clear, plain language that is easy to understand.
☐ We specify why we want the data and what we’re going to do with it.
☐ We give individual (‘granular’) options to consent separately to different purposes and types of processing.
☐ We name our organisation and any third party controllers who will be relying on the consent.
☐ We tell individuals they can withdraw their consent.
☐ We ensure that individuals can refuse to consent without detriment.
☐ We avoid making consent a precondition of a service.
☐ If we offer online services directly to children, we only seek consent if we have age-verification measures (and parental-consent measures for younger children) in place.
☐ We keep a record of when and how we got consent from the individual.
☐ We keep a record of exactly what they were told at the time.
☐ We regularly review consents to check that the relationship, the processing and the purposes have not changed.
☐ We have processes in place to refresh consent at appropriate intervals, including any parental consents.
☐ We consider using privacy dashboards or other preference-management tools as a matter of good practice.
☐ We make it easy for individuals to withdraw their consent at any time, and publicise how to do so.
☐ We act on withdrawals of consent as soon as we can.
☐ We don’t penalise individuals who wish to withdraw consent.
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Legitimate Interest

The condition of Legitimate Interest is possibly the one which raises most questions. For marketers the cases of Consent (and Contractural) are fairly self evident. All that GDPR does is to further clarify and tighten previous definitions of these cases.  The case of Legitimate interest is actually similar to the definition in Schedule 2 of the 1998 Act – as with Consent GDPR seeks to further clarify this.

What the GDPR says on ‘Legitimate Interest’

===================================================================================================
On Legitimate Interest
“Processing shall be lawful … if …
it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data…

Further detail…
The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing. Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks. The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
===================================================================================================

Guidance from the ICO

Here’s a summary of some of the ICO guidelines on Legitimate Interest…

– You can now consider the legitimate interests of any third party, including wider benefits to society. And when weighing against the individual’s interests, the focus is wider than the emphasis on ‘unwarranted prejudice’ to the individual in the 1998 Act. For example, unexpected processing is likely to affect whether the individual’s interests override your legitimate interests, even without specific harm.
– The biggest change is that you need to document your decisions on legitimate interests so that you can demonstrate compliance under the new GDPR accountability principle. You must also include more information in your privacy notice.
– In the run up to 25 May 2018, you need to review your existing processing to identify your lawful basis and document where you rely on legitimate interests, update your privacy notice, and communicate it to individuals.

Legitimate Interest can be broken down into a three-part test:

– Purpose test: are you pursuing a legitimate interest?
– Necessity test: is the processing necessary for that purpose?
– Balancing test: do the individual’s interests override the legitimate interest?

– A wide range of interests may be legitimate interests. They can be your own interests or the interests of third parties, and commercial interests as well as wider societal benefits. They may be compelling or trivial, but trivial interests may be more easily overridden in the balancing test.
– The GDPR specifically mentions use of client or employee data, marketing, fraud prevention, intra-group transfers, or IT security as potential legitimate interests, but this is not an exhaustive list. It also says that you have a legitimate interest in disclosing information about possible criminal acts or security threats to the authorities.
– ‘Necessary’ means that the processing must be a targeted and proportionate way of achieving your purpose. You cannot rely on legitimate interests if there is another reasonable and less intrusive way to achieve the same result.
– You must balance your interests against the individual’s interests. In particular, if they would not reasonably expect you to use data in that way, or it would cause them unwarranted harm, their interests are likely to override yours. However, your interests do not always have to align with the individual’s interests. If there is a conflict, your interests can still prevail as long as there is a clear justification for the impact on the individual.

When can we rely on legitimate interests?

– Legitimate interests is the most flexible lawful basis, but you cannot assume it will always be appropriate for all of your processing.
– If you choose to rely on legitimate interests, you take on extra responsibility for ensuring people’s rights and interests are fully considered and protected.
– Legitimate interests is most likely to be an appropriate basis where you use data in ways that people would reasonably expect and that have a minimal privacy impact. Where there is an impact on individuals, it may still apply if you can show there is an even more compelling benefit to the processing and the impact is justified.
– You can rely on legitimate interests for marketing activities if you can show that how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object.
– You can consider legitimate interests for processing children’s data, but you must take extra care to make sure their interests are protected.
– You may be able to rely on legitimate interests in order to lawfully disclose personal data to a third party. You should consider why they want the information, whether they actually need it, and what they will do with it. You need to demonstrate that the disclosure is justified, but it will be their responsibility to determine their lawful basis for their own processing.
– You should avoid using legitimate interests if you are using personal data in ways people do not understand and would not reasonably expect, or if you think some people would object if you explained it to them. You should also avoid this basis for processing that could cause harm, unless you are confident there is nevertheless a compelling reason to go ahead which justifies the impact.
– If you are a public authority, you cannot rely on legitimate interests for any processing you do to perform your tasks as a public authority. However, if you have other legitimate purposes outside the scope of your tasks as a public authority, you can consider legitimate interests where appropriate. This will be particularly relevant for public authorities with commercial interests.

How can we apply it in practice?

– If you want to rely on legitimate interests, you can use the three-part test to assess whether it applies. We refer to this as a legitimate interests assessment (LIA) and you should do it before you start the processing. An LIA is a type of light-touch risk assessment based on the specific context and circumstances. It will help you ensure that your processing is lawful. Recording your LIA will also help you demonstrate compliance in line with your accountability obligations under Articles 5(2) and 24. In some cases an LIA will be quite short, but in others there will be more to consider.

First, identify the legitimate interest(s). Consider:

• Why do you want to process the data – what are you trying to achieve?
• Who benefits from the processing? In what way?
• Are there any wider public benefits to the processing?
• How important are those benefits?
• What would the impact be if you couldn’t go ahead?
• Would your use of the data be unethical or unlawful in any way?

Second, apply the necessity test. Consider:

• Does this processing actually help to further that interest?
• Is it a reasonable way to go about it?
• Is there another less intrusive way to achieve the same result?

Third, do a balancing test. Consider the impact of your processing and whether this overrides the interest you have identified. You might find it helpful to think about the following:

– What is the nature of your relationship with the individual?
– Is any of the data particularly sensitive or private?
– Would people expect you to use their data in this way?
– Are you happy to explain it to them?
– Are some people likely to object or find it intrusive?
– What is the possible impact on the individual?
– How big an impact might it have on them?
– Are you processing children’s data?
– Are any of the individuals vulnerable in any other way?
– Can you adopt any safeguards to minimise the impact?
– Can you offer an opt-out?

– You then need to make a decision about whether you still think legitimate interests is an appropriate basis. There’s no foolproof formula for the outcome of the balancing test – but you must be confident that your legitimate interests are not overridden by the risks you have identified.
– Keep a record of your LIA and the outcome. There is no standard format for this, but it’s important to record your thinking to help show you have proper decision-making processes in place and to justify the outcome.
– Keep your LIA under review and refresh it if there is a significant change in the purpose, nature or context of the processing.
– If you are not sure about the outcome of the balancing test, it may be safer to look for another lawful basis. Legitimate interests will not often be the most appropriate basis for processing which is unexpected or high risk.

What else do we need to consider?

– You must tell people in your privacy notice that you are relying on legitimate interests, and explain what these interests are.
– If you want to process the personal data for a new purpose, you may be able to continue processing under legitimate interests as long as your new purpose is compatible with your original purpose. We would still recommend that you conduct a new LIA, as this will help you demonstrate compatibility.
– If you rely on legitimate interests, the right to data portability does not apply.
– If you are relying on legitimate interests for direct marketing, the right to object is absolute and you must stop processing when someone objects. For other purposes, you must stop unless you can show that your legitimate interests are compelling enough to override the individual’s rights. See our guidance on individual rights for more on this.

Checklist – Legitimate Interest

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
☐ We have checked that legitimate interests is the most appropriate basis.
☐ We understand our responsibility to protect the individual’s interests.
☐ We have conducted a legitimate interests assessment (LIA) and kept a record of it, to ensure that we can justify our decision.
☐ We have identified the relevant legitimate interests.
☐ We have checked that the processing is necessary and there is no less intrusive way to achieve the same result.
☐ We have done a balancing test, and are confident that the individual’s interests do not override those legitimate interests.
☐ We only use individuals’ data in ways they would reasonably expect, unless we have a very good reason.
☐ We are not using people’s data in ways they would find intrusive or which could cause them harm, unless we have a very good reason.
☐ If we process children’s data, we take extra care to make sure we protect their interests.
☐ We have considered safeguards to reduce the impact where possible.
☐ We have considered whether we can offer an opt out.
☐ We keep our LIA under review, and repeat it if circumstances change.
☐ We include information about our legitimate interests in our privacy notice.
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Just want an overview? Here’s another GDPR link you may find useful.
Getting ready for GDPR. 20 points for Email Marketers.