The GDPR, Brazil LGPD, Thailand PDPA, and many other privacy regulations around the globe require that organizations determine the legal basis for processing individuals’ data (customers, employees, etc.) as part of their business operations. For example, Article 6 of the GDPR states that processing shall be lawful only if at least one of the following applies: data subject consent has been obtained; processing is necessary for performance of a contract; processing is necessary for compliance with a legal obligation, to protect someone’s life or to perform a task in the public interest; or the processing is necessary for your legitimate interests.
Legitimate interests is a preferred approach for many organizations because of its flexibility and its applicability to any reasonable processing purpose. In contrast, other legal bases of processing, such as demonstrable consent, center around a specific purpose the individual agreed to. Under what circumstances can you use legitimate interests as your basis of processing? Here are the four boxes you must have checked in order to leverage legitimate interests.
Box 1. The processing is not required by law but is of a clear benefit to you or others. For example, an online retailer can promote a pair of sunglasses to someone browsing from an area where it’s the high summer season. Alternatively, an online store might use a visitor’s location data to offer a limited time free shipping offer to the visitor’s area.
Box 2. There’s a limited privacy impact on the individual. For example, most websites collect their visitors’ browsing data to optimize performance for the user. Most often, this aligns well with the Legitimate Interests provision. Collecting this data doesn’t pose a threat as long as it is anonymized.
Box 3. The individual should reasonably expect you to use their data in that way. For example, some businesses will want to send communications via email or SMS to remind clients of upcoming appointments. While it always needs explicit consent, most individuals expect their data to be used in this way.
Box 4. You cannot –or do not want to– give the individual full upfront control (ie consent) or bother them with disruptive consent requests when they are unlikely to object to the processing. For example, the use of second-party and third-party data can provide insights about the demographics of customers. This data can be used to identify target segments with personalized content. When processing this data, you may not want to have to give full control over to the individual when it will result in messages that they will ultimately want to receive, as it is likely relevant to who they are as a person or professional.
Checking off each of these boxes is the single most complex aspect of leveraging legitimate interests as your basis for processing data. Conducting a legitimate interests assessment is challenging because the logic to determine whether the benefits significance outweighs the risk to individuals is complex.
If the benefits outweigh the risks, then the organization may use legitimate interests as its basis for processing data. The challenging part is that companies must quantify each side of the scale within subcategories of benefits and risks. Privacy leaders could spend hours creating a spreadsheet to perform a balancing test for each business process that the company wants to establish legitimate interests as its basis for processing. When multiplied by the total number of business processes a company has, the amount of time spent creating balancing tests could quickly amount to dozens or hundreds across the organization.
The balancing test can be completely automated. Learn more about how you can save time, respond to business needs faster, and generate an audit trail for legitimate interests with the TrustArc Platform. Learn about TrustArc’s Legitimate Interests Assessment and Balancing Test.