As the countdown to GDPR continues, guidance on how to apply it is coming thick and fast.
What’s the issue?
With the GDPR deadline of 25 May 2018 fast approaching, regulators are publishing a flow of guidance on some of the thornier aspects of compliance. At the moment the guidance does not have statutory effect although it may do in future. Nonetheless (and to varying degrees), guidance can be very helpful in answering some of the questions not dealt with in the legislation itself.
What’s the development?
What does this mean for you?
The lawful basis that processing is in the legitimate interests of the data controller exists under current EU data protection law but it will be changing under the GDPR. In addition, the accountability requirements mean that organisations have to be considerably more careful when choosing to rely on legitimate interests. They must be able to identify their legitimate interests in relation to each purpose and demonstrate that they are not outweighed by the rights and freedoms of individuals. As the ICO points out, what has previously been used as a ‘catch all’ to justify processing personal data, now becomes one of the more onerous lawful bases on which to rely.
Similarly DPIAs are not a new concept but they become a statutory requirement in certain situations under the GDPR. Of particular note to businesses is confirmation around regulator response times where controllers are required to seek guidance before starting high risk processing. The ICO has said it will respond in writing within eight to 14 weeks.
The ICO identifies key changes to the concept of legitimate interests under the GDPR as:
- The requirement to identify a lawful basis for processing and be accountable for the choice by identifying their legitimate interests in each case.
- More limited scope for public bodies to rely on legitimate interests.
- The fact that the interests of any third party and wider benefits to society can be considered.
- Special consideration to protecting the data, interests, rights and freedoms of children.
Can you rely on legitimate interests?
The ICO summarises the assessment of whether or not processing should be carried out on the basis of legitimate interests in the form of a three-stage test which it refers to as the legitimate interests assessment (LIA), to be carried out prior to processing and fully documented:
- Purpose test – are you pursuing a legitimate interest?
- Necessity test – is the processing necessary for the purpose?
- Balancing test – do the individual’s interests override the legitimate interests?
If the LIA reveals significant risk to the rights and freedoms of individuals, a DPIA may be appropriate. Regular reviews should also be carried out. Where an organisation would be embarrassed by any negative publicity around its use of personal data, legitimate interests is unlikely to provide a lawful basis for the processing.
While acknowledging that legitimate interests is the most flexible of available lawful bases, the ICO underlines that it can also be the most difficult one to justify and cautions against using it as a default option. Less intrusive alternatives should be used where possible.
What about relying on legitimate interests for marketing purposes?
Legitimate interests can be relied on for marketing activities where consent is not needed under PECR, provided the use of data is proportionate, has a minimal privacy impact and people would not be surprised or likely to object. The data subject’s right to object will be absolute in this situation.
What do you need to tell the data subject?
The data subject must be informed about the legitimate interests being relied upon. In this situation the data portability right will not apply. Where the data subject objects to processing which is based on legitimate interests (other than for direct marketing purposes), the controller must stop the processing unless it can show that its legitimate interests are sufficiently compelling to override the rights of the individual.
Can you move to legitimate interests under GDPR from a different purpose under DPA?
The ICO confirms that it is possible to move to legitimate interests under GDPR from a different basis under the Data Protection Act 1998, for example, where a DPA consent will no longer by valid under the GDPR. Where this happens, individuals must be informed and told about their right to object. They should be given the option to reassess any preference controls or opt out of the processing. Going forward, where a controller wants to process data for a new purpose and is relying on legitimate interests, it will be able to continue processing under legitimate interests provided the new purpose is compatible with the original one. A new LIA should be carried out to help demonstrate compatibility.
The guidance considers specific situations such as intra-group transfers and employee data in more detail and includes more information and checklists about the three-stage test.
Draft ICO DPIA guidance
The draft DPIA guidance builds on existing ICO guidance on PIAs under the current data protection regime and also relies heavily on the Article 29 Working Party guidance. Useful checklists and a DPIA template are also provided.
The ICO is legally required to provide a list of types of processing which are likely to be high risk in addition to those set out in the WP29 guidance. The ICO’s suggested list is currently:
- Using new technologies or applying existing technologies in novel ways.
- Using profiling or special category data to decide on access to service.
- Profiling individuals on a large scale.
- Processing biometric data.
- Processing genetic data.
- Matching data or combining datasets from different sources.
- Collecting personal data from a source other than the data subject without providing them with a privacy notice (‘invisible processing’).
- Tracking location or behaviour.
- Profiling children or targeting marketing or online services at them.
- Processing data which may endanger an individual’s physical health or safety in the event of a security breach.
The ICO also recommends carrying out a DPIA for any other processing which is large scale, involves profiling or monitoring, decides on access to services or opportunities, or involves sensitive data or vulnerable individuals.
The ICO confirms that where a DPIA concludes that the processing is likely to present a high risk to individuals, the ICO must be notified. The ICO will respond in writing with advice within eight weeks, or 14 in particularly complex cases. In some cases, the ICO may issue a formal warning to an organisation or take formal action to ban the processing altogether.