Data Privacy: Legitimate interest – for life, not just for deadlines
Not just a 'make work' activity
05 May 2020
Two years since the GDPR took effect it feels time to take stock of the work done so far.
Businesses need to devote some time to keeping on top of overall compliance, particularly when it comes to lawful bases for processing.
Guidance issued on lawful bases has sought to narrow the use of them in certain circumstances, for example the use of contractual obligation. This leaves many organisations limited realistic choices when deciding which lawful basis might apply. For the majority of elective data processing this generally boils down to consent or legitimate interest.
Consent may be an appropriate lawful basis when the data handling is genuinely optional, but brings with it significant administrative requirements to organisations to ensure that they can demonstrate that consent was obtained properly. With increased regulatory attention on previous poor practice in this area, a more reliable and robust lawful basis might be favoured.
Step forward legitimate interest.
A question for organisations now is whether the legitimate interest assessments (LIAs) previously made continue to remain fair and reasonable.
Why does this matter?
The compliance obligations required by the GDPR are meant to be a living breathing privacy framework which is under constant review and revision. Individuals, organisations and society change over time and it makes sense that revalidation of previous assumptions captures that change.
This extends to the use of legitimate interest.
The Dutch supervisory authority recently fined the Royal Dutch Tennis Association 525,000 euro for alleged non-compliant reliance on legitimate interests as the appropriate lawful basis for sharing personal data of its members with sponsors (those interests being characterised as solely commercial in nature). Whilst this strict interpretation has been challenged by academics and industry stakeholders, it does underline the importance of documenting an organisations interpretation in an LIA, in case challenged.
About the processing
There are two main organisational reasons why some of the assumptions settled on in the original LIA may now require a degree of revalidation. Purpose drift and necessity.
Purpose drift can be thought of analogous to 'scope creep' in a project. Has there been a series of small changes in the activity now carried out? Or could a handful of extra fields have been added to the dataset, or the pool of people has widened as the process bedded in? It would only take a handful of these gradual alterations to find twice (or even more) the number of data subjects, or more invasive data being processed, for quite different purposes.
Necessity can also change over time. Can the compelling case made a year ago still be made today? Or perhaps the processing was only ever originally intended to be a one-off exercise, but has morphed into BAU. Do the assumptions and judgements made in the original LIA still hold when reviewed against the new processing landscape?
DPOs and other privacy professionals cannot be expected to stay fully on top of everything which they may have previously had come across their books. Others in the organisation are busy people too and may forget to tell the privacy team about the revised nature of the processing. There is therefore a need to act programmatically and plan to act accordingly.
Alignment of interests
Another reason for a review is that previously aligned interests may have diverged over time, and as a result they are now not as strongly coupled as in the original assessment. Much like the processing scope creep this is likely an incremental process, not immediately noticeable but more evident after the passage of longer periods of time.
Looking at the data subjects, were they originally a narrow collection of individuals whose interests could be easily, and well described? Or perhaps the processing covered a diffuse group of people with loosely defined interests, and these have diverged more in the intervening months?
What of the organisation's interests, or any associated third-parties? Can those interests be said to be as strong as they were? A review of these two sets of interests against those of the data subjects helps revalidate the LIA.
Any revalidation exercise will also need to review the controls which were put in place. Take the privacy notice(s) developed in response to the LIA. Are they still accurate and do they still reflect the processing? Any legitimate interests processing is required to be detailed in the appropriate notice, so keeping that up to date is a key.
Are the technical or organisational controls put in place still appropriate, given the likely technological advances in the preceding interval? If the data volumes or data subjects have changed, do the technical and organisational measures deployed still suffice?
Is another data protection impact assessment necessary?
While that may be the end of the formal LIA, good record keeping is essential in demonstrating an organisation's compliance. What needs to be recorded? Where is the best place to document that? Is the review period still reasonable given the context of the revised LIA? What is needed in the way of scheduling this next review?
Following on from this, are there any updates to the Records of Processing Activity required? Are the purposes of processing still accurate? Categories of data subjects or data processed may have also changed, or the retention period is now different. Even the organisational and technical measures might have moved on since the original assessment. Do these differences need to be recorded?
Lastly, and perhaps most importantly, do the privacy notices need to be updated? This might be the internal, staff notices or it could be a website privacy notice. IT teams might need to be engaged to make this happen, with authorisation or sign off required. Informing individuals of any legitimate interest processing is a key plank of the compliance obligations, so it is critical that this be done.
In summary, it may appear as if this is merely 'make work' activity. But it is not. Due to the flexibility and the potential for application to a wide variety of processing purposes, the legitimate intertest lawful basis rightly brings with it corresponding compliance obligations to ensure it is in the interests of the individuals' whose data is being used that the processing be done, and done fairly.
Key Take-Away Points:
- Revalidate the purpose and necessity of the processing
- Review the interest alignment
- Make changes to any controls originally put in place
- Bring your internal and external records and notices up to date
- Diarise the next review, with sufficient advance notice
This article was written by Dylan Beckbridge, Data Privacy Specialist, Clifford Chance