How is a legitimate interest assessment conducted?

In order for a controller to use legitimate interest as the legal ground for processing personal data, the controller will need to conduct a legitimate interest assessment (LIA).  A LIA consists of at least five parts:

  • The purpose for the processing of the personal data 
  • The necessity of the processing  
  • If the processing is necessary, whether the impact on individuals overrides the organization’s legitimate interests
  • If the impact on individuals overrides the organization’s legitimate interest, whether safeguards sufficiently minimize the impact on individuals
  • If safeguards do not sufficiently minimize the impact on individuals and security risks exist, whether technical and organizational security measures sufficiently minimize the impact on individuals

The purpose of the processing is where you identify your legitimate interest.  You (or a third party) must have a clear and specific benefit or outcome in mind.  A vague or generic business interest is not sufficient.  The recitals to the GDPR recognize preventing fraud, ensuring network and information security, or indicating possible criminal acts or threats to public security as a legitimate interest and indicate that processing employee or client data, direct marketing or administrative transfers within a group of companies may be a legitimate interest.  These are not the only situations that are or might be a legitimate interest, but they are good examples.

The processing must be necessary for the purposes of the identified legitimate interest.  The processing doesn’t have to be essential, but it does have to be a proportionate way of achieving the purpose.  You need to consider whether there is a less intrusive way to achieve the purpose, and if there is a less invasive way, then the more invasive way is not necessary.

The last three parts make up the balancing test.  You need to consider the interests and fundamental rights and freedoms of the individual and whether they override your identified legitimate interest.  If the impact on individuals overrides your legitimate interest, consider whether there are any safeguards that can be put into place to reduce or mitigate this risk.  If safeguards do not sufficiently mitigate the impact on individuals and security risks exist, then consider whether technical and organizational security measures can be put into place to reduce or mitigate these risks. 

If your LIA concludes that the impact on individuals overrides your legitimate interest, then you are not able to process personal data for the identified particular purpose using legitimate interest as the legal ground for processing.  However, you may use another legal ground for processing if it applies. 

This blog is the 20th in a series of blogs that explains, in bite size pieces, what needs to be done to put the GDPR into practice and how GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool, can help SMEs implement the GDPR and demonstrate their implementation. 

Next blog:  What does it mean to use contract as a legal ground for processing personal data?

What does it mean for an organization to have a legitimate interest to process personal data?

Legitimate Interests is one of the more common legal grounds for a controller to process personal data.  Legitimate interest is different from consent; it is not processing that the individual has specifically agreed to; it is not processing linked to a specific purpose (like the one specified in a contract with the individual (contract as a legal ground to process will be discussed in a future blog); it is flexible and could theoretically apply to any type of processing.  Since consent is more restrictive under the GDPR, some think of legitimate interest as the catch all basis for processing personal data.  This view is incorrect.

In order to decide whether legitimate interest can be used as a legal ground to process personal data, you must conduct a balancing test to determine whether:  

  • The impact on individuals overrides the organization’s legitimate interests
  • If the impact on individuals overrides the organization’s legitimate interests, safeguards sufficiently minimize the impact on individuals
  • If safeguards do not sufficiently minimize the impact on individuals and security risks exist, security measures sufficiently minimize the impact on individuals.

If safeguards and security measures do not sufficiently minimize the impact on individuals, then legitimate interest cannot be used as the legal ground to process.  In order for processing of personal data to proceed, another legal basis for processing must exist.

It is not only the organization’s legitimate interests.  It could also be the legitimate interests of any third party.  The “third party” could be third party organizations or third party individuals.  Also, the legitimate interests of the public in general may play a part when deciding whether the legitimate interests in the processing override the individual’s interests and rights.  If the processing has a wider public interest for society at large, then this may add weight to your interests when balancing those against those of the individual.

If you think you want to use legitimate interest as the legal ground to process personal data, then you will have to do a legitimate interest assessment.  You must perform the legitimate interest assessment before you start processing the personal data.  How to conduct a legitimate interest assessment will be discussed in the next Blog.

This blog is the 19th in a series of blogs that explains, in bite size pieces, what needs to be done to put the GDPR into practice and how GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool, can help SMEs implement the GDPR and demonstrate their implementation. 

Next blog:  How to conduct a legitimate interest assessment

How to get consent from individuals to process their data?

Consent is one of the most common legal grounds for a controller to process personal data.  Consent of the individual means any:

  • Freely given (i.e. real choice and control).  An example is when individuals have to agree to get access to a website; then they do not have choice and control and consent is not freely given.  Employers and other organizations in positions of power over individuals should avoid relying on consent as it is unlikely that it is freely given.
  • Specific (i.e. the description of the reason for the purpose of the processing must be granular and must be separate from information about other matters).  An example is when a website seeks to market to an individual by mail and by phone, the individual must be able to consent separately to mail and to phone.
  • Informed (i.e. the individual must know the controller’s identity, the purpose of  each processing operation for which the controller is seeking consent, the type of data that will be collected and used, the existence of the right to withdraw consent, if relevant the existence of the right not to be subject to automated decision-making, including profiling, and the possible risks of transferring personal data outside the EU).
  • Unambiguous indication of the individual’s agreement to the processing of personal data (i.e. there must be a clear affirmative and deliberate action).  An example is when an individual checks a checkbox.

All of these requirements must be met.  Furthermore, individuals must be able to withdraw their consent, and it must be easy for them to do so.

The subject of the next blog is one of the other common legal grounds for a controller to process personal data:  legitimate interests.

This blog is the 18th in a series of blogs that explains, in bite size pieces, what needs to be done to put the GDPR into practice and how GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool, can help SMEs implement the GDPR and demonstrate their implementation. 

Next blog:  What does it mean for an organization to have a legitimate interest to process personal data?

What is a “legal basis to process personal data”?

Under the GDPR, a business that determines how personal data are processed can only begin activities that involve the processing of personal data if at least one of the following legal grounds apply:

  • The individual has given consent to the processing of his or her personal data for one or more specific purposes (an example is when an individual agrees to receive marketing emails from you);
  • Processing is necessary for the performance of a contract to which the individual is party or in order to take steps at the request of the individual prior to entering into a contract (an example is when individuals buy items on line, they need to use the individuals’ addresses in order to deliver the items) ;
  • Processing is necessary for compliance with a legal obligation to which the business is subject (an example is when you need to use an individual’s personal data to pay employment taxes);
  • Processing is necessary in order to protect the vital interests of the individual or of someone else (an example is when the emergency room of a hospital accesses the medical records of an unconscious individual);
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the business (an example is when the business processes payments from individuals for a governmental agency, it will have access to individuals’ personal data);
  • Processing is necessary for the purposes of the legitimate interests pursued by the business or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the individual which require protection of personal data, in particular where the individual is a child (an example is when a business decides to provide workers compensation insurance to its employees; it is in the interests of both the individuals and the business for this benefit to be provided and the risk of using personal data to do so is very low)  .

There is no significance to the order of these legal grounds; one ground is not preferable to another one.  However, consent, contract and legitimate interests are the most common legal grounds used, and they will be explained in the next several blogs. 

All the legal grounds except consent are subject to the requirement that the processing be “necessary” for a particular purpose or in order to do a particular thing.  “Necessary” means the processing of personal data must be essential for the purpose pursued by the business.  Is there another way of achieving the objective?  If there isn’t another way or if there is another way but it would require disproportionate effort, then processing is necessary.  If there are multiple ways of achieving the objective, then the least intrusive means of processing the personal data is necessary.

This blog is the 17th in a series of blogs that describe and explain the GDPR.  If you don’t want to wait until the next blog to learn more about the GDPR, take a look at GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool, that can help SMEs implement the GDPR and demonstrate their implementation.

Next blog:  How to get consent from individuals to process their data?

How to break the GDPR into bite sized pieces

After a Summer break, I’m back continuing our bite sized break down of the GDPR.  Why?    I often hear “I don’t know where to start” as a reason why small or medium sized enterprises (SMEs) haven’t put the GDPR into practice yet.  Like so many things in life, if it can be broken down into bite size pieces, then it’s not so overwhelming.  Another platitude that might be helpful in this situation is “start at the beginning.”

If you are a business that processes personal data, you need to have a legal basis to process personal data.  So, the first bite sized piece, or the first topic to start with, is whether you have a legal basis to process personal data.  What is a legal basis to process will be discussed is my next blog.  The GDPR can be broken down into seven other bite sized pieces or topics:

  • As mentioned in my previous blogs, the GDPR expands individual rights and creates new individual rights.  It is important for SMEs to understand what these rights are and how to respond if an individual exercises one of them.
  • If you use a third-party to process personal data for you or you are the third-party that is processing personal data, the GDPR specifies what requirements need to be in the contract with the third-party.
  • The GDPR requires a personal data breach likely to result in risk to the rights and freedoms of individuals to be reported to the appropriate supervisory authority within 72 hours and to the individual without undue delay.
  • In order to determine what technical and organizational security measures to have in place, you need to assess the risks presented by the processing, especially from the perspective of a data breach.
  • If you engage in processing that is likely to result in high risk to rights and freedoms of individuals (high risk processing), then you must prior to the processing assess the impact of the high risk processing.
  • If you employ less than 250 persons, then you do not need to maintain a record of processing unless the processing:
    • Is high risk processing or
    • Is not occasional or
    • Includes special categories of data (e.g. racial or ethnic origin, political opinion, religious beliefs, health data)
  • If you transfer personal data outside the EU to non-EU countries, then the transfer must be subject to appropriate safeguards (e.g. Standard Data Protection Clauses).

I’ve already explained individual rights.  I am going to explain in more detail what the rest of these topics means in subsequent blogs. 

This blog is the 16th in a series of blogs that explains, in bite size pieces, what needs to be done to put the GDPR into practice and how GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool, can help SMEs implement the GDPR and demonstrate their implementation. 

Each of the “bite sized pieces” is one of the eight topics in GDPRsimple.

Next blog:  What is a “legal basis to process personal data”?

How do I keep all the individual rights straight? Are there any commonalities between all the individual rights?

There are some procedural and some substantive commonalities between the rights to access, rectification, erasure, restriction, portability and object

Let’s discuss the similarities among all six rights first:

  • The controller must ascertain the identity of the individual making the request.  If the controller does not have the information to determine the identity of the individual making the request, then the controller must inform the individual, and the individual must provide the information.  If the individual does not provide the information, then the controller is not required to process the request. 
  • The controller must provide information on the action taken on a request to the individual within one month of receipt of the request.  That period of time may be extended by two months where necessary if the request is complex or numerous.  Within one month of receipt of the request, the individual must be informed of any extension and the reasons for the extension. 
  • Where the individual makes the request electronically, the information must be provided electronically, unless the individual requests otherwise.
  • If the controller does not take action on the individual’s request, the controller must notify the individual within one month of receipt of the request of the reasons for not taking action and of the possibility of lodging a complaint with the supervisory authority and of seeking a judicial remedy.
  • All actions in response to these requests must be provided free of charge.  A reasonable fee may be charged where requests from an individual are manifestly unfounded or excessive.

Similarities among the rights to rectification, erasure and restriction are:

  • Where the controller has disclosed personal data to recipients, the controller must communicate any rectification or erasure of personal data or restriction of personal data to these recipients. This communication does not have to take place if it proves impossible or involves disproportionate effort. 
  • If the individual requests whether his or her personal data has been disclosed to such recipients, the controller must inform the individual about these recipients.

Similarities among the rights of access and to portability:

  • The right to obtain a copy of personal data undergoing processing does not apply if it adversely affects the rights and freedoms of others.
  • The right to receive personal data concerning the individual which the individual provided to the controller, in a structured, commonly used and machine-readable format, and the right to transmit those data to another controller do not apply if they adversely affect the rights and freedoms of others.

This blog is the fourteenth in a series of blogs that describes and explains the eight individual rights set forth in the GDPR.  If you don’t want to wait until the next blog to learn more about the GDPR and the individual rights in the GDPR, take a look at GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool, that can help SMEs implement the GDPR and demonstrate their implementation.

Next blog:  Has any guidance been issued on the individual rights?

How does the GDPR change individual rights?

It is easy to assume that because individual rights existed under the Directive, you don’t have to do anything extra to implement the GDPR.  If you are assuming this, you are mistaken.  Furthermore, as discussed in an earlier blog, the timing requirements and the reasons for not complying with an individual request are different and you can no longer charge a fee to respond to an individual request. Additionally, as previously discussed, some new rights have been added and some rights that previously existed have changed.  So, what changed and what stayed the same?

The right to information preserves the basic right that individuals are entitled to a minimum set of information – the identity of the controller (link), the controller’s reasons for processing (link) personal data (link) and other information necessary to achieve fair and transparent processing of personal data.

The right of access permits individuals to obtain access to their personal data.  This right existed under the Directive, but the mandatory categories of information which must be supplied in connection with an access request have been expanded under the GDPR.

The right to rectification permits individuals to obtain correction of any errors in their personal data. This right is largely unchanged in the GDPR.

The right to erasure permits individuals to obtain deletion of their personal data.  This right is broader under the GDPR.  Under the Directive, the right existed where the controller failed to comply with the Directive.  Under the GDPR, the right exists under certain specified circumstances.

The right to restrict processing permits individuals to restrict the processing of personal data under certain circumstances.  Under the Directive, the individual had the right to request blocking of data which meant that the controller could not use the data.  Under the GDPR, the right to restrict processing means that the data can only be stored by the controller and can only be used for limited purposes.  Thus, under the GDPR, there is a broader range of circumstances in which individuals can restrict “processing” of personal data.

The right to data portability permits individuals to transfer their personal data between controllers.  The Directive did not directly address this right.  Thus, the right to data portability is a new right under the GDPR.

The right to object permits individuals to object to the legitimate interest or public interest legal basis to process (link).  The Directive permitted processing to continue unless the individual could show the objection was justified.  The GDPR reverses the burden and requires the organization to demonstrate either it has compelling grounds for continuing processing personal data or the processing of personal data is necessary in connection with its legal rights.  The right to object to processing for purposes of direct marketing preserves the position under the Directive.  The right to object for scientific, historical or scientific purposes gives individuals more specific rights.

This blog is the thirteenth in a series of blogs that describes and explains the eight individual rights set forth in the GDPR.  If you don’t want to wait until the next blog to learn more about the GDPR and the individual rights in the GDPR, take a look at GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool, that can help SMEs implement the GDPR and demonstrate their implementation.

Next blog:  How do I keep all these rights straight?  Are there any commonalities between all these rights?

What is the right not to be subject to automated processing?

The right not to be subject to a decision based solely on automated processing, including profiling, gives the individual the ability not to be subject to such a decision which produces legal effects concerning him or her or similarly significantly affects him or her.  This right does not apply if the decision:

  • Is necessary for entering into, or performing, a contract between the individual and a data controller, and suitable measures to safeguard the individual’s rights and freedoms, especially the ability to obtain human intervention in order for an individual to be able to express his or her point of view and to contest decisions, must be implemented;
  • Is authorized and lays down suitable measures to safeguard the individual’s rights and freedoms and legitimate interests; or
  • Is based on the individual’s explicit consent, and suitable measures to safeguard the individual’s rights and freedoms, especially the ability to obtain human intervention in order for an individual to be able to express his or her point of view and to contest decisions, must be implemented.

Such decisions that are authorized must not be based on special categories of personal data – personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data for the purpose of uniquely identifying an individual, data concerning health or data concerning  an individual’s sex life or sexual orientation – unless explicit consent has been given or the processing is necessary for reasons of substantial public interest.  Furthermore, suitable measures to safeguard the individual’s rights and freedoms and legitimate interests must be in place.

This blog is the eleventh in a series of blogs that describes and explains the eight individual rights set forth in the GDPR.  If you don’t want to wait until the next blog to learn more about the GDPR and the individual rights in the GDPR, take a look at GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool, that can help SMEs implement the GDPR and demonstrate their implementation.

Next blog:  How does the GDPR change individual rights?

What is the right to object?

The right to object gives the individual the ability to object to the processing of personal data:

  • Where the legal basis to process is legitimate interest or performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, including profiling based on these provisions.  In these situations, the personal data can no longer be processed unless compelling legitimate grounds for the processing which override the interests, rights and freedoms of the individual are demonstrated or in order to establish, exercise or defend legal claims.
  • If personal data concerning him or her are processed for direct marketing purposes, including profiling to the extent that it relates to direct marketing.  If the individual objects to processing for direct marketing purposes, the personal data can no longer be processed for direct marketing purposes.

The right to object for the above two reasons must be brought explicitly to the attention of the individual at the latest of the first communication with the individual.  It must be presented clearly and separately from any other information.  If the communication with the individual is over the internet, then the individual must be able to exercise his or her right to object over the internet.

The right to object also gives the individual the ability to object to the processing of personal data concerning him or her for scientific or historical research purposes or statistical purposes, unless the processing is necessary for the performance of a task carried out for reason of public interest.

This blog is the tenth in a series of blogs that describes and explains the eight individual rights set forth in the GDPR.  If you don’t want to wait until the next blog to learn more about the GDPR and the individual rights in the GDPR, take a look at GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool, that can help SMEs implement the GDPR and demonstrate their implementation.

Next blog:  What is the right not to be subject to automated decision-making?

What is the right to data portability?

The right to data portability gives the individual the ability to:

where:

The individual has the right to have the personal data transmitted directly from one controller to another where technically feasible.

The right to data portability is not in lieu of the right to erasure

Exceptions to the right of data portability are processing:

  • necessary for the performance of a task carried out in the public interest, or
  • in the exercise of official authority vested in the controller
  • that adversely affects the rights and freedoms of others.

This blog is the ninth in a series of blogs that describes and explains the eight individual rights set forth in the GDPR.  If you don’t want to wait until the next blog to learn more about the GDPR and the individual rights in the GDPR, take a look at GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool, that can help SMEs implement the GDPR and demonstrate their implementation.

Next blog:  What is the right to object?