In our third blog about GDPR which will come into force on 25 May, we looked at conditional consent. This time we will look at what constitutes GDPR legitimate interest, which could provide a way around the need to get consent.
Until recently there has been much consternation amongst business people about this. ICO guidance was not clear and became subject to interpretation by consultants who were second-guessing what it meant.
It appeared that ‘legitimate interest’ could have been interpreted very broadly, leading to many perceived problems and a lot of negativity. People were assuming that the new regulations would prevent them from doing business and that GDPR would be a disabler, not an enabler. However, in April, the ICO published more detailed information on GDPR legitimate interests which has transformed the landscape, enabling companies to breathe a sigh of relief.
One major area of concern had been in doing background checks on new employees. Many employers have assumed that when taking on new members of staff, they would have to get Data Subject consent before doing the background checks. However, although Article 9 says that processing personal data concerning health, life, politics etc is prohibited, this is not covered when it comes to the field of employment. This means we can do background checks without the need to get prior consent.
Legitimate Interest Assessments
The ICO has recommended that in cases where companies may not need to obtain consent, they undertake Legitimate Interest Assessments (LIA). An LIA is a formal process to make sure there is a lawful basis for processing the data and that your business’s legitimate interest doesn’t override that of the Data Subject.
Companies are warned that whilst legitimate interest will often be relevant, it cannot be considered a given and separate assessments must, therefore, be undertaken for different projects.
Used appropriately, as a balancing test, LIAs are a very effective mechanism for companies to be able to carry on doing business, particularly when it comes to electronic communications. This is covered by the Privacy and Electronic Communications Regulations (PECR) which was covered in the first of our GDPR blogs.