Legitimate Interests - A catch-all lawful basis under GDPR for processing data?
Reflecting on the three weeks since the General Data Protection Regulation implementation date, it’s clear that the impact of the new legislation on the financial services sector is not limited to pre-deadline work. Firms are working hard to continue to embed business changes and evolve with the Information Commissioner’s Office’s recent guidance, new industry norms, and peer and supplier practices.
At this juncture, firms should be settling in to the new regime, undertaking testing and analysis to ensure that new approaches and methods are robust and fit for purpose. For example, at this stage it’s a good idea to re-visit each operation and ensure compliance in practice. Relying on previous methods might be an issue under GDPR. The financial services sector – no stranger to regulation – cannot necessarily rely on previous bases for the processing of personal data, even given the typically high standards of data processing and data security within the industry. With financial firms collecting large amounts of personal data for a wide range of different processing activities, it’s crucial financial services organisations are able to successfully navigate the new requirements. In this article, we take a look at the issue of legitimate interests.
Any organisation seeking to process personal data must do so under one of six possible lawful bases, as set out in Article 6 of the GDPR. The ICO highlight that whilst legitimate interests is the most flexible of the six – it isn’t focussed on a particular purpose – it should not be used as a default basis for all processing. Care should be taken to consider the most appropriate basis in each case (considering each type of processing operation and each category of data subject). Legitimate interests may be the most appropriate basis for processing if there’s a limited privacy impact on the data subject, when they should reasonably expect you to use their data in that way, or when you do not want to allow the subject full upfront control (i.e. consent) or bother them with consent requests when they are unlikely to object to the processing.
Whilst legitimate interests may appear to be a catch-all or fall back for many processing operations, and many firms will have used it in the past, it will likely not apply to every type of processing and firms should take care to simply grandfather previous bases across to the new regime, particularly where legitimate interests is concerned. The GDPR places more responsibility on controllers to justify processing; firms will be expected to fully explain what the legitimate interests of processing are within privacy notices and data policies. Organisations will also need to have considered and have documented justification of any impact on individuals, and as a matter of best practice, undertake a ‘legitimate interests assessment’.
In short, although it will likely apply across many types of processing operations, it may not be the most appropriate basis for processing data, and may in fact take more upfront work than for other lawful bases. The ICO also highlight that it may, in fact, be harder to demonstrate compliance as ‘there is more scope for disagreement over the outcome of the balancing test’ – in other words, that you can clearly demonstrate the balance between your interests and that of the individual favours the processing of the data.
The ICO recommends the use of a three-part test, with the outcome documented, to ensure firms can demonstrate that the basis applies. Although a ‘legitimate interests assessment’ is not mandated under GDPR, the ICO recommendation offers a useful practical approach and a valuable audit trail.
Financial Services firms that are subject to FCA regulatory requirements, such as those contained within SYSC and the SM&CR, will mean that firms are required to retain data in certain circumstances, but even in these cases, organisations should be mindful that processing and retention are revisited under the GDPR. The retention of data outside of what is required by the regulations would likely not be considered to be compliant. Firms should also ensure that data maps are up-to-date; data collected and processed for regulatory requirements should be checked to ensure that only that which is required by the regulator is used and stored. Any firm attempting to rely on legitimate interests as the basis for processing which stores personal data over and above the requirements would be open to challenges.
Whether you have concerns that your firm may be under- or over-applying the GDPR, our 13 June seminar offers the perfect opportunity to benchmark your current practices, get up-to-speed on ICO recommendations, and hear how your peers in the sector are complying.