New ICO guidance for GDPR legitimate interests

The ICO has published more detailed guidance on legitimate interests as a lawful basis for processing personal data. This will be of interest to trustees trying to determine their lawful basis with GDPR now just weeks away.

New guidance from the Information Commissioner’s Office explains that the lawful basis of legitimate interests could, in principle, apply to any type of processing for any reasonable purpose.

Therefore, it can apply to a wide range of circumstances and, as such, trustees must take some additional steps in order to rely on this basis. It is not possible to use legitimate interests as a default basis for all processing, but it may be appropriate where processing is not required by law but is of clear benefit to the trustees or others and there is limited impact on the privacy of the individual.

There is a three- part test that the trustees must satisfy to rely on legitimate interests. In summary, this comprises:

1. Purpose
   There must be a legitimate interest. This can be interests of the trustees, interests of a third party (an organisation or an individual), or those of the wider society. It is not enough to rely on vague or generic business interests.
2. Necessity
   The processing must be necessary for the identified purpose. Necessary means that the processing is a targeted and proportionate way of achieving the purpose.
3. Balancing
   The purpose must not be overridden by the individual’s interests, rights and freedoms. Trustees must consider the nature of the personal data, the reasonable expectations of the individual and the likely impact on the individual and how this can be mitigated. In relation to the expectations of the individual, the more information the trustees provide the individual regarding processing, the more likely this requirement is to be met.

Trustees should think carefully before deciding on their lawful basis for processing, especially given it will be difficult to change at a later stage.
Trustees must also document their assessment of the most suitable lawful basis and, where relying on legitimate interests, the outcome of the three-part test to ensure they are able to justify the decision if necessary, documenting the factors considered.

The ICO has also published a word template for documenting the legitimate interests assessment. It is not obligatory to use but may provide some help to trustees in evaluating and deciding upon their legal basis for processing.