In order for a controller to use legitimate interest as the legal ground for processing personal data, the controller will need to conduct a legitimate interest assessment (LIA). A LIA consists of at least five parts:
- The purpose for the processing of the personal data
- The necessity of the processing
- If the processing is necessary, whether the impact on individuals overrides the organization’s legitimate interests
- If the impact on individuals overrides the organization’s legitimate interest, whether safeguards sufficiently minimize the impact on individuals
- If safeguards do not sufficiently minimize the impact on individuals and security risks exist, whether technical and organizational security measures sufficiently minimize the impact on individuals
The purpose of the processing is where you identify your legitimate interest. You (or a third party) must have a clear and specific benefit or outcome in mind. A vague or generic business interest is not sufficient. The recitals to the GDPR recognize preventing fraud, ensuring network and information security, or indicating possible criminal acts or threats to public security as a legitimate interest and indicate that processing employee or client data, direct marketing or administrative transfers within a group of companies may be a legitimate interest. These are not the only situations that are or might be a legitimate interest, but they are good examples.
The processing must be necessary for the purposes of the identified legitimate interest. The processing doesn’t have to be essential, but it does have to be a proportionate way of achieving the purpose. You need to consider whether there is a less intrusive way to achieve the purpose, and if there is a less invasive way, then the more invasive way is not necessary.
The last three parts make up the balancing test. You need to consider the interests and fundamental rights and freedoms of the individual and whether they override your identified legitimate interest. If the impact on individuals overrides your legitimate interest, consider whether there are any safeguards that can be put into place to reduce or mitigate this risk. If safeguards do not sufficiently mitigate the impact on individuals and security risks exist, then consider whether technical and organizational security measures can be put into place to reduce or mitigate these risks.
If your LIA concludes that the impact on individuals overrides your legitimate interest, then you are not able to process personal data for the identified particular purpose using legitimate interest as the legal ground for processing. However, you may use another legal ground for processing if it applies.
This blog is the 20th in a series of blogs that explains, in bite size pieces, what needs to be done to put the GDPR into practice and how GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool, can help SMEs implement the GDPR and demonstrate their implementation.
Next blog: What does it mean to use contract as a legal ground for processing personal data?