You may have heard a lot about consent, in relation to the General Data Protection Regulation (GDPR), which becomes a reality in May 2018. But, this is not the only reason organizations and companies may be entitled to process personal data. There is also legitimate interest to be considered.
Detailed guidance regarding legitimate interest is not expected to be provided until next year. But, there are some basic facts that businesses should be aware of before then.
What Does Legitimate Interest Mean?
Legitimate interest exists when a business or organization can show that it has a legitimate reason for processing the personal data of an individual. This can be with or without the consent of the individual, depending on the situation. It is important to note that the fundamental rights and freedoms of an individual must always be considered when processing personal data.
Examples of Legitimate Interest
One of the most obvious examples of legitimate interest is when a company uses personal data they already hold for the purposes of direct marketing. Data that was obtained before the introduction of the GDPR can be used for this reason, as long as it was provided in a consensual way to begin with and the individual can reasonably expect it to be used. If a business has any doubts about whether legitimate interest is a sufficient reason to process personal data, it is best to seek consent from the individual.
Personal data can also be processed at the request of certain third parties; often for legal or financial reasons. If a business or organization processes personal data for this reason, they need to be assured that the personal freedoms of the individual are always considered.
Legitimate interest is not always a strong reason for processing personal data, especially when it comes to direct marketing. Any data protection professional who has doubts about processing data for this reason should advise the use of other reasons, such as the provision of consent by the individual.