This lawful basis is likely to be very popular with many organisations – it allows data to be collected without consent and used without acknowledgment BUT still requires that the organisation be very clear, in advance, as to why it feels it is entitled to do this.
Furthermore, just because the data has been collected without consent, does not change the duty of care that the organisation has in looking after individuals’ data and ensuring it is not lost, damaged, leaked or corrupted.
To justify the use of this legitimate interest ground, the organisation has to ensure it has applied the three part Legitimate Interests Assessment (LIA) so that the organisation can show it has fully considered the individual’s rights and interests and will protect them.
While the legitimate interest basis is a very flexible grounding to use when collecting and processing data, that does not mean it is automatically appropriate.
The organisation must determine (in writing) that it is appropriate to use the Legitimate Interest approach when:
- The individuals’ data is used in a way they would reasonably expect (eg. When taking their address in order to deliver a product)
- The use of such data has minimal privacy impact (eg. Taking someone’s address on the basis that most peoples’ addresses are in the Electoral Register - and so open to public scrutiny anyway)
- The data is processed because of a clear and obvious justification (eg where an employee’s bank details are required in order that they be paid their salary)
While GDPR allows a wide range of reasons for Legitimate Interest, it does not provide a complete list. This therefore allows a degree of creativity so long as that is backed by supporting justifications. Please note that the use of data under Legitimate Interest for the organisation’s use, does not preclude the organisation’s responsibilities when it comes to reporting criminal acts or security threats that it may uncover to the authorities.
Note that the Legitimate Interests Assessment (LIA) should be carried out before the data is collected (let alone processed), to check that the Legitimate Interest basis is appropriate.