GDPR: It’s Not All About Consent
Using Legitimate Interest and the Other Legal Bases
The discourse about the General Data Protection Regulation (GDPR) has been dominated by the topic of consent. “When do you need it?” “How do you collect it?” “How do you prove you have it?”
There are good reasons why consent has dominated the discussion, but it’s easy to forget that GDPR sets out five other legal bases that organisations can use to process personal data, depending on the type of processing.
Aside from processing based on the data subject’s consent, GDPR says that processing personal data can be lawful:
- If it is necessary for the performance of a contract
- To comply with a legal obligation
- To protect a person’s vital interests
- For the performance of a task carried out in the public interest or in the exercise of controller’s official authority
- For the legitimate interests of the controller.
The ICO offers more detail on the six legal bases for lawful processing.
It’s important to apply some common-sense to assess how necessary the processing is to achieve your purpose. If you can reasonably achieve the same purpose without the use of that data, it probably isn’t the correct lawful basis. Make sure that you choose wisely, as switching your legal basis midstream will likely be a breach of the accountability and transparency requirements under GDPR, as changing the basis after collection is probably unfair to the data subject.
Below are some examples of how the legal bases may be used to justify some common processing activities:
- Consent: sending e-mail newsletters and appeals
- Contract Performance: processing payment information when a person buys concert tickets online
- Legal Obligation: using donor information to file Gift Aid
- Protecting Vital Interests: processing health information to provide emergency health care treatment
- Public Interest Task/Authority: universities mailing out student reports at the end of the term
- Legitimate Interests: conducting wealth scoring analysis on potential donors
Many non-profits are relying on the legitimate interest basis for some of their uses of constituents’ personal data, like performing analytics. Using legitimate interest requires that you:
- Conduct a balancing test
- Tell constituents that you’re relying on legitimate interests;
- Allow constituents to opt out of the processing.
Here comes the legal bit…
The legitimate interest basis makes processing lawful if it is necessary for the legitimate interests of the controller (ie. the non-profit), and requires the successful outcome of a balancing test between the data subject’s right to privacy and the organisation’s interests. Such a balancing test requires controllers to take into consideration factors such as:
- The nature of the controller’s interest
- The impact on the data subject (which doesn’t need to be negative, just an impact)
- How data is processed (there is a bias against data mining, profiling and analytics)
- Reasonable expectations of the data subject (the more expected the processing is, the better)
- Whether less invasive means of achieving the same result are possible.
This isn’t new to GDPR; it was contained in the 1995 Data Protection Directive which brought about the UK’s 1998 Data Protection Act!
However, GDPR does add two requirements to processing for legitimate interests: the first relates to transparency and the second to internal documentation:
- The controller must explicitly inform data subjects at the time of collection the purposes of the processing and the legitimate interest it is relying on to process the data. In other words, it is not enough for a controller to internally decide to rely on legitimate interests as a basis for processing, it must also state such determination in its privacy notice or other communication to the data subject.
- Secondly, the controller must document and retain its analysis under the legitimate interest balancing test.
GDPR also narrows the pool of controllers that may rely on legitimate interests, setting out that public authorities may not use legitimate interests as a lawful basis for processing personal data in the performance of their tasks. Note, however, that public authorities can rely on legitimate interests if they are processing for a legitimate reason other than performing their tasks as a public authority.
PECR / ePrivacy
Before you mothball all your plans to collect consent to send direct marketing in favour of relying on legitimate interests, keep in mind that to send unsolicited marketing by e-mail, fax, text, or phone, an organisation must comply with both GDPR and the UK’s Privacy and Electronic Communication Regulations (“PECR”). Under PECR, to send direct marketing to ‘natural persons’, you either:
- need consent, or
- be marketing to an existing customer in the context of the sale of a product or service. This is referred to as the “soft opt-in.” Only organisations selling goods or services can take advantage of the soft opt-in, which is why non-profits are so focused on obtaining consent; because fundraising organisations largely can’t use the soft opt-in to send marketing emails.
Your choice of legal bases impacts how much control constituents must stop your use of their data. When you process data based on consent, public tasks or legitimate interests, constituents have the right to withdraw consent (for the first) or object to the processing (for the latter two).
You can use the consent preference management features we’ve added to our CRM database solutions to record and manage constituents’ opt-out of processing based on consent, public tasks or legitimate interest.
While the information provided herein is reliable, it does not constitute legal advice and should not be construed as legal advice or legal opinion on any specific factors or circumstances.