Data

The three key stages of a Legitimate Interest Assessment are:
1. Identify a Legitimate Interest i.e. what is the purpose of the processing
2. Carry out a Necessity test i.e. state why the processing of the data is necessary (and that another less intrusive option is not available)
3. Carry out a balancing test i.e. balancing of the rights and freedoms of the individual’s data which will be processed

If you are using Legitimate Interest as your legal basis for processing personal data, the Information Commissioners Office (ICO) have stipulated you must carry out a Legitimate Interest Assessment (LIA). An LIA is a three-part test. You need to:
1. Identify a legitimate interest
2. Show that the processing is necessary to achieve it
3. Balance it against the individual’s interests, rights and freedoms
You should keep a record of your Legitimate Interests Assessment (LIA) to help you demonstrate compliance if required.
See an example LIA template provided by the Data Protection Network (DPN) here:
Guidance from ICO: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/

Legitimate Interests (LI) is the most flexible lawful basis for processing personal data under GDPR.  It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.

However, if you choose to rely on legitimate interests, you are taking on extra responsibility and obligations for considering and balancing people’s rights and interests using a Legitimate Interest Assessment. The Information Commissioners Office (ICO) stares clearly in their guidance that: the legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.

Defining Legitimate Interest sits at organisational level. For processing personal data for direct marketing it is the instigator of that marketing that must complete the Legitimate Interest Assessment (LIA) and associated balancing test to document their LI.

It could be the legitimate interest of a charity to increase its donor base.

It could be the legitimate interest of a new business to obtain new customers via a marketing campaign.

Article 5 (1) (d) places a high burden on a data controller to ensure that personal data is kept accurate and up to date. All data processed (this includes mere storage) is subject to the same requirement and measures should be in place to regularly screen all data for changes. If a client maintains a name and address on its base then use of REaD’s suppression suite and its associated enrichment products is good evidence of having taken ‘every reasonable step’.

Telemarketing can be carried out using Legitimate Interest as the lawful basis of processing so long as the numbers are not used for automated cold calling (this requires consent). Considerations in any balancing test might include the time of day calls are made, an assessment of the vulnerability of the targets (possibly by the exclusion of certain age groups) and the frequency of calls.

Until the ePrivacy Regulation is enforceable – expected to be in 2020 (date to be confirmed) – The Privacy and Electronic Communications Regulations (PECR) will continue to be the prevailing law governing electronic communications and messaging , including email, and this includes the provision for soft opt-in for marketing to existing customers.

If a company has obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient and the direct marketing is in respect of that person’s similar products and services only and the recipient has been given a simple means of refusing, then there is an option to use a ‘soft opt in’ as your lawful basis for processing.  However, you must have given the recipient a clear chance to opt out – both when you first collected their details, and in every communication you send.

The soft opt-in rule means you may be able to use electronic messaging to communicate with your existing customers, it does not apply to prospective customers or new contacts (which require consent).

Further details on PECR the ICO guide to PECR can be found here: https://ico.org.uk/for-organisations/guide-to-pecr/electronic-and-telephone-marketing/electronic-mail-marketing/

Article 5 (1) (d) places a high burden on a data controller to ensure that personal data is kept accurate and up to date.  All data processed (this includes mere storage) is subject to the same requirement and measures should be in place to regularly screen all data for changes.  If a client maintains a name and address on its base then use of REaD’s suppression suite and its associated enrichment products is good evidence of having taken ‘every reasonable step’.

ISO 27001 is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation’s information risk management processes. As part of our commitment to the highest standards of data security and processing REaD Group has ISO 27001 certification.

More information about ISO 27001