By Privacy Perfect
Legitimate interest and consent are two of the six lawful bases that data processors can choose from when gathering and processing data subject personal data. Both of the mentioned lawful bases are the most commonly used reasoning among organisations for their data gathering. But what are some of the key differences between the two?
As organisations continue to work hard on their GDPR compliance efforts, a part of that effort is to continue to update their privacy policies. This includes their lawful basis to hold and process a user’s data. Once a lawful base has been chosen, information on the data gathered/processed should be provided. It should be made clear why the data is needed and what the data means in terms of performing a specific task. Additionally, clear information on how long the data will be stored for should be made clear. Before we start going into the comparison of the two lawful bases, let’s quickly recap what each means exactly.
Recap on legitimate interest and consent
As we go through the two lawful bases that organisations may want to choose when gathering information, it is important to note that consent and legitimate interest are only two of the six lawful bases listed in the GDPR. What will also help to determine which may be the most appropriate for your organisation, conducting a data protection impact assessment will prove to be useful to gain a greater overview on your data protection practices.
Legitimate interest is one of the six lawful bases for the processing of personal data. It is described by the United Kingdom’s Information Commissioner’s Office (ICO) as “the most flexible lawful basis for processing”. However, it is also pointed out that one cannot necessarily assume that it would always be “the appropriate or adaptable choice”. The reason why it’s often regarded as the most flexible of lawful bases, is that legitimate interests are not centered around a specific purpose such as carrying out in the public’s interest or it is part of a contract with an individual). A legitimate interest is stated when the processing of certain data is much needed, and that it outweighs any form of risk(s) to the data subjects. When an organisation or public body decides to use legitimate interest as their legal basis, they are also taking the extra responsibility for protecting the data subjects’ rights. To further identify a legitimate interest, according to the ICO, there is a three step thought and decision process that the data controller should consider:
1. Is there a legitimate interest behind such a processing?
2. Is there a necessity of a processing to achieve the task that has been communicated?
3. What does it look like balanced against the data subject’s rights and freedoms.
Furthermore, the ICO provides a Legitimate Interest Assessment (LIA) as well, in the form of a checklist, that would help identify the need of a legitimate interest and what should be further considered upon deciding to use one. Article 6(f) GDPR states that:
“1. Processing shall be lawful only if and to the extent that at least one of the following applies:
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
As a legitimate interest is a very strong and bold lawful base, there must be a lengthy thought process into the implications it may have on the data subjects, just like the three-step checklist provided by the ICO.
A software developer may use legitimate interest as a lawful base to contact users to inform them about a needed update that has solved a fresh security flaw that was found. This would be a strong example of when legitimate interest can be used as prior consent was not needed to perform the task.
Another example could be how financial industries may process an individual’s personal information to prevent the chances of money laundering from happening. Whereas sending material such as the latest discount sales or other marketing related information to users without first having their consent, would not be a strong enough reasoning to have legitimate interest as a legal base.
As defined in Article 4(11) of the GDPR, consent must be: freely given, specific, informed, an unambiguous indication of the data subject’s wishes, and a statement or a clear affirmative action. What this means is that consent is usually made through the data subject’s acceptance of the data controller’s data privacy policies. When asking for consent, it should be noted that it is not open-ended, it must be explicit, and used for known, particular reasonable uses.
Furthermore, to fully have consent, data controllers must provide data subject’s with an opt-in and opt-out option, as well as the choice to successfully erase data that had been previously collected. Moreover, the data subjects’ consent to such processing should not be influenced by the data controller through any form tactics such as intimidation or access to particular services. Thus, consent should be given freely and solely based on the motivations of the data subject. Consent provides data subjects with a choice and a full control over their data.
The GDPR allows data processors to gather consent in three different ways.
• Explicit Consent: This is when a data subject is given the clear option to agree/disagree with the gathering or processing of their personal information. Explicit consent can be gathered verbally as well as through written text.
• Implicit Consent: This is a consent in an in-direct form. Which may mean that a data subject provides their personal information for purposes that favor both the individual and the organisation. It can also be that the data subject voluntarily does so for obvious reasons that require information.
• Opt-Out Consent: An opt-out consent is when a data subject is given the clear option to decline the gathering and use of their information, but only when they do not choose that option clearly that consent is gathered.
What are some examples of consent being used appropriately?
When an individual offers their personal information voluntarily, such as providing their information in a donation form, that can be considered an explicit consent. The individual offers such information entirely from their own decision after clearly understanding the reasoning behind the necessity of their information (which in this case would be to successfully donate).
If an individual has just recently entered a new working space, they may be asked to provide health related information for safety reasons, which may be considered an obvious necessity, as it entails the well being of the individual. If the individual understands this necessity and provides the information needed, this can be considered an implicit consent.
Lastly, when browsing on a shoe brand’s webstore, it may be apparent that product marketing tick boxes are shown to provide the user a more personalised experience. Only when the individual clearly chooses the option not give permission to the organisation to use their data, the consent is not given. If they have left that option unchosen, an opt-in consent is given.
The key differences between the two
• Legitimate interest does not necessarily need a particular purpose, whereas consent does: When an organisation chooses to use legitimate interest for the gathering/processing of personal data, a particular purpose may not be needed. However, the difference here being that choosing to use consent means that the reason must be made very clear to the data subject, as well as the option to not give permission.
• Consent requires transparency. Organisations must make it clear to the data subjects on why they need to use their information. This must be communicated in a way where individuals are able to understand the reasons clearly on why their data may be needed. Moreover, communicating this information to users has been proven to be a strong point in customer relations. As some organisations may find consent as a challenging lawful base to take, providing consent on data gathering purposes may prove to be beneficial in terms of customer relations and building on trust.
• Legitimate interest as a legal base covers a significant range of interests: Having it as a legal base can be applied to an organisation’s own commercial interests, to interests of third parties, or even to a whole society’s interest. However, an organisation should keep in mind that a benefit / positive outcome should be met by the processing of data if they are to choose legitimate interest (which is clearly communicated to individuals through a privacy notice). Thus, legitimate interest carries a great responsibility on organisations.
• With consent, individuals are given the choice to also opt-out when they choose. With this option, organisations should prepare a withdrawal procedure that can be carried out in the case of a data subject choosing to erase previously gathered data. That being said, data records of consent being given should be well kept as proof, and occasionally worked on in the case of a data subject’s decision to ask for an erasure.
Making a decision is no light task
As the information above sheds a light on some of the key differences and key characteristics of the two lawful bases, having to choose between the two is no light task. Especially as there are six lawful bases to choose from, each of the reasoning should be well thought about and understood if it proves to be adequate for the particular task at hand. As a data controller, there are numerous aspects to take into account upon finally deciding on one of the lawful bases. However the process of a legal basis should not be seen as a burden, as there are numerous positive implications that come from one. The process of which not only increases better relations with the audience, but it also provides a stronger emphasis on a company’s data privacy culture, and an even higher probability of gaining relevant and applicable data.