The General Data Protection
Regulations (GDPR), which comes into force in 2018 represents the biggest change in data
protection for over 20 years.
We provide comprehensive
consultancy and guidance to UK and international entities, helping them prepare
their organisation for the changes GDPR will bring.
WHAT DOES GDPR SAY ABOUT LEGITIMATE INTEREST
DATA PROCESSING?
GDPR processing will be considered lawful if:
It is necessary for the purposes of the
legitimate interests pursued by the controller or a third party, except where
such interests are overridden by the interests or fundamental rights and
freedoms of the data subject which require protection of Personal Data, in
particular where the data subject is a child.
The
obligation on data controllers in Article 6 is not hugely different from their
responsibilities prior to GDPR. But significantly GDPR attaches greater weight
to the protection of data belonging to children. There is also a new
requirement to keep a record of the basis of legitimate interest processing so
that you can be accountable for any decisions you make if necessary.
WHAT IS A LEGITIMATE INTEREST ASSESSMENT?
The ICO website outlines the need to carry
out a Legitimate Interest Assessment (LIA) when seeking to rely on
legitimate interest as a lawful ground for processing data. It involves
considering the following:
·
Does a legitimate interest exist? Examples
of what may be a legitimate interest include fraud prevention, IT security, use
of employee data and disclosure of personal information to prevent crime
·
Is the processing necessary? Even
if there is a legitimate interest you must demonstrate that there is no other
reasonable way to get the same result
·
Do the individual’s interests override the
legitimate interest? If for example use of the data is
likely to cause harm to an individual it will be difficult to justify
processing under legitimate interest.
It’s important to consider these issues if
using legitimate interests as a ground to process data. Generally speaking use
of highly sensitive data or use of data in a way that people would not
ordinarily expect is less likely to be justifiable under this ground. Big Data
Law provides bespoke LIAs tailored to your circumstances. We keep these under
regular review so that they remain fit for purpose as commercial circumstances
change and the nature of data you capture fluctuates.
DOES IT MATTER WHICH GROUND WE USE FOR DATA
PROCESSING?
Carrying out risk assessments like the LIA may appear
cumbersome. But the lawful ground you choose to rely on for processing
information is not just an academic exercise. The rights of individuals and
your own position can differ considerably depending on which processing ground
you apply. For example, an individual will not automatically benefit from the
so-called ‘right to be forgotten’ under Article 17 of GDPR when his or her data
is processed on legitimate interest grounds. That’s not true when consent is
used as a basis for processing. Similarly the right to data portability by an
individual is limited when a controller uses legitimate interest to justify
processing.
INFORMING INDIVIDUALS OF LEGITIMATE INTERST
PROCESSING
When using the legitimate interest ground you must let
individuals know:
·
How their data is being processed
·
That it is being processed under the
legitimate interest ground
·
What the legitimate interest is
·
That they can object
For many clients getting the message across to individuals
about legitimate interests can prove problematic. We provide bespoke
information templates that ensure you fully comply with the law while
reassuring individuals that you have carried out an exhaustive assessment of
any potential impact the processing will have on them.
At Big Data Law our GDPR
compliance packages can help ensure you meet your obligations. For more
information please contact GDPR Solicitors UK or call us on 0203 670 5540.
No comments:
Post a Comment