Skip to main content

An introduction to Lawful Processing, Consent and Legitimate Interests

Creating a Permissions strategy for the GDPR

Paul Malyon 8 minute read GDPR

A lot of organisations have been focussing on the GDPR and how they can implement a data governance strategy that aligns with this change in data privacy regulation. In this two-part blog, we’ll take a look at Lawful Processing with a focus on Consent, Legitimate Interests and how good data quality and specialist technology can support your strategic approach.

In the first instalment, I’m delighted to bring you an interview with J Cromack from the Consentric team at MyLife Digital. He’s an expert on the challenges of managing permissions – from Consent to Legitimate Interests - and we’ll be discussing what Lawful Permissions for processing data mean to organisations preparing for the GDPR. We’re partnering with MyLife Digital to bring the power of their Consentric platform to our clients. With the unique focus on both usability and privacy, we believe that it’s a valuable piece of a GDPR-ready data governance strategy.

Paul Malyon, Experian: One of the top areas of focus for many organisations in their GDPR preparations has been Lawful Processing and Consent versus Legitimate Interests. What are the main questions that you’re hearing from organisations as they tackle this part of the GDPR?

J Cromack, MyLife Digital: There’s definitely been some confusion in the market around when to use Consent versus Legitimate Interests or one of the other legal bases. From the conversations I’ve been having, the top queries include:

  • When do we need Consent?
  • Is our historic Consent valid?
  • Can we infill our historic Consent using other data we have access to?
  • How can we be certain of Consent for an individual when we have multiple marketing lists?
  • When should we use Legitimate Interests instead of Consent?
  • How do we temporarily remove an individual from processing if they challenge Legitimate Interests?
  • What role does contact data quality play in Consent management?

Some of these questions will have unique answers for an organisation due to the way they have managed data in the past. However, I think it’s important to go back a step and think about the Why and How of processing data – as you may know, Consent and Legitimate Interests are just two of six lawful ways of processing data.

Paul: Thanks J. So when we say “six Lawful ways”, what do we mean by this and where can people find more information

J: For an excellent guide on processing data, check out the ICO website. As you’ll see, there are six lawful bases for processing data. I’m not going to go into detail on Contracts, Vital Interests, Public Task or Legal Obligation today as they either apply to only a select group of organisations or have not changed significantly since the days of the 1998 Data Protection Act.

What I think is important for everyone though is to look in some detail at Consent and Legitimate Interests.

Paul: Perfect. So Consent is something that I think most people will have heard of but there may be some questions around how it can be gathered, how it can be used and when it’s appropriate. Legitimate Interest is probably a new term for most people so it would be good to look into this in a little detail. Could we start by defining both of these legal bases and when they could be useful?

J: Absolutely. Let’s start by discussing Consent. Your organisation needs to decide where Consent is required – for many, this will be for a digital marketing purpose. However, it’s clear that every form of data processing will need to be checked to see whether Consent is the most appropriate basis.

Secondly, organisations will need to ensure that Consent is positively and freely given. Using a marketing scenario again, this means a tick box (or boxes) on your website form to opt into marketing. The use of pre-ticked or opt-out boxes will not be permitted under the GDPR.

Thirdly, organisations will need to be able to evidence Consent (for example the time, date, channel and privacy policy under which that Consent was granted) and where historic Cconsent cannot be evidenced, refresh it to match the GDPR requirements.

On top of these three steps, it’s also important that individuals can withdraw Consent easily and that the statements used to explain why you need Consent are clear and concise. A more detailed list of considerations is available on the ICO website.

While Consent is an obvious way of lawfully processing data, care should be taken as to when it’s relied upon – it would be easy for individuals to become bombarded for consent requests when in fact another lawful basis would be quicker and easier for everyone.

Before I move on, I would like to mention an excellent blog by the ICO you can find here.

Paul: Thanks J. Could you expand a little more on Legitimate Interests?

J: As with Consent, I’ll guide you to an excellent overview from the ICO.

Firstly, it’s worth calling out that the ‘Legitimate Interests’ that we’re talking about here can be those of the individual, your organisation or a third party (such as society as a whole). The challenge for organisations is to balance the interests of that organisation (or third party) against the interests, rights and freedoms of the individual. You should also be able to demonstrate that the processing is necessary in order to achieve the defined outcome (i.e. the Legitimate Interest).

These balancing tests (or Legitimate Interests Assessments) should help your organisation to understand whether a particular use of personal data can be filed under Legitimate Interests, whether the data is actually necessary and appropriate for the purpose (e.g. do we really need someone’s date of birth if we’re not delivering age-related products or services?) or whether another basis such as Consent or Contract is more applicable.

If Legitimate Interests can be relied upon, it’s also going to be important to explain this clearly and concisely in your privacy policy.

Just to conclude, it’s up to each organisation to decide which lawful basis to use. Regardless, recording and tracking this will be as important as enabling the individual to understand your choices and, where necessary, remove Consent or challenge another lawful basis.

Paul: So with six lawful bases and many decisions to be taken, what would you recommend to an organisation starting out on this journey as part of their GDPR preparations?

J: Just like an organisation needs a strategy to secure data and govern data, they need a strategy around how they manage the lawful bases – a permissions strategy if you will.

This is important for a range of reasons. Let’s look at one that actually comes from the common questions I hear, namely: “How do we temporarily remove an individual from processing if they challenge Legitimate Interests?”

As you may know, the GDPR contains the Right to restrict processing and the Right to object. If you’re using Legitimate Interests to process personal data, do you have an internal process and the supporting technology to ensure you can temporarily stop the processing of an individual’s data and track any objections they make? In the event of an objection to direct marketing, the GDPR requires this objection to have immediate effect. Is your marketing platform able to process live removal of Consent or the flagging of an objection?

Making all of this possible internally is challenging – making the process for objecting available to the individual directly is potentially even more complex. This is where the combination of strategy, data and technology comes in. With so much work having been done to prepare for the GDPR, I think it’s critical that organisations look at how they use each of the six Lawful Bases for processing data and ensure that their business and technology stack is ready to support the choices they make.

Paul: Wonderful. Thanks J. I’m certain that this will help organisations begin to have those conversations in-house. 

In the next edition of this series, we’ll be inviting Jason back to be talk about how to prepare for a Permissions Strategy by getting your existing data into shape using a Single Consent View and the benefits of a Permissions Platform.

Some links to find out more about what we’ve discussed are below.

If you’d like to know more about how you can prepare your contact, Consent and permissions data for a wider permissions strategy or the Consentric platform by MyLife Digital, please contact us or join our webinar on Consent and Data Quality for the GDPR on March 27.