Joint industry group unveils 'legitimate interests' guidance
The Data Protection Network has joined forces with the DMA, ISBA and other data protection experts to publish new guidance on how businesses can use "legitimate interests" to access personal data under the EU General Data Protection Regulation.
The move was sparked by claims that the Information Commissioner's Office would not be covering the issue in its final consent guidance, which was originally due last month.
The regulator says its guidance has now been delayed - possibly until the end of the year - as it is waiting for the Article 29 Working Party to issue its own views, but does insist legitimate interests will be covered eventually.
However, the ICO has faced criticism over its handling of GDPR guidance and many organisations are looking into alternative legal grounds to lawfully process personal data, such as legitimate interests, as an alternative to consent.
Marketers' continued use of legitimate interests under the new laws was something the DMA and partners lobbied hard for in the EU.
Rachel Aldighieri, managing director at the DMA, said: “In order to prepare for GDPR in time for May 2018, businesses need to understand how, when and why they’re able to use legitimate interest as a legal basis for contacting potential customers. According to our latest GDPR and You research, one in four marketers are concerned about the issue of Legitimate Interests under the new rules.”<
According to the GDPR, organisations need to identify one of six lawful bases for the processing of personal data. In its draft guidance on consent, published earlier this year, the ICO stressed that consent should only be used when a genuine choice can be offered. If this is not possible, then other grounds for processing should be considered.
Legitimate interests is one alternative, but it needs careful consideration. The interests of an organisation must not be outweighed by the privacy rights and freedoms of individuals, for example.
A draft of the DPN’s guidance was submitted to the ICO in the spring and the initiative has been welcomed by both the ICO and the DPC in Ireland as an example of industry proactively supporting Regulators.
The final guidance includes a template for conducting the crucial “3-stage test” – a Legitimate Interests Assessment (LIA); examples of where LI might apply (subject to an LIA); and help on how organisations can fulfil the requirement to communicate the use of LI to individuals.
Data Protection Network chairman Robert Bond, who is also partner & notary public at Bristows LLP, said: “I am delighted that the Data Protection Network and other collaborators have been able to publish this guidance. I appreciate the work of all involved and the ICO for valuable scrutiny and comment."
To view the full guidance visit the DPN website>
to be GDPR compliant.
Register with us for all the news