Skip to main content

An introduction to Lawful Processing, Consent and Legitimate Interests

Creating a Permissions strategy for the GDPR – Part 1

Paul Malyon 10 minute read GDPR

Information Notice: The information and opinions in this blog are for general information purposes only and not provided as part of any contract or service. They are not intended to constitute legal or other professional advice, and should not be relied on or treated as a substitute for specific advice relevant to particular circumstances. It is for each organisation to take its own decisions and its own advice on GDPR and regulatory compliance more generally. The views given in this blog do not represent those of Experian Ltd.

A lot of organisations have been focussing on the GDPR and how they can implement a data governance strategy that aligns with this change in data privacy regulation. In this two-part blog, we’ll take a look at Lawful Processing with a focus on consent, legitimate interests and how good data quality and specialist technology can support your strategic approach.

First up, it’s worth me saying that just because we’re focussing on consent and legitimate interests, it does not mean that these are the only two (or most important two) of the six legal bases for processing data under the GDPR. It’s important for all organisations to consider how they already process and wish to process personal data.

I should also say that this two-part blog is going to be of most interest to those responsible for marketing data – much of this data will have been managed under consent or legitimate interests in the past so understanding these in the GDPR context should be useful to marketing professionals but certainly of interest to others too.

In the first instalment, I’m delighted to bring you an interview with J Cromack from the Consentric team at MyLife Digital. He’s an expert on the challenges of managing permissions – from Consent to Legitimate Interests and all the other legal bases - and we’ll be discussing what the Legal Bases for processing data mean to organisations preparing for the GDPR. We’re partnering with MyLife Digital to bring the power of their Consentric platform to our clients. With the unique focus on both usability and privacy, we believe that it’s a valuable piece of a GDPR-ready data governance strategy.

Paul Malyon, Experian: With GDPR now in force, for many organisations there will be an on-going focus on Lawful Processing and consent versus legitimate interests. What are the main questions that you’re hearing from organisations as they tackle this part of the GDPR?

J Cromack, MyLife Digital: There’s definitely been some confusion in the market around when to use consent versus Legitimate Interests or one of the other legal bases. From the conversations I’ve been having, the top queries include:

  • When do we need consent?
  • Is our historic consent valid?
  • Can we infill our historic consent using other data we have access to?
  • How can we be certain of consent for an individual when we have multiple marketing lists?
  • When should we use legitimate interests instead of consent?
  • How do we remove an individual from processing if they object to Legitimate Interests?
  • What role does contact data quality play in consent management?

Some of these questions will have unique answers for an organisation due to the way they have managed data in the past. However, I think it’s important to go back a step and think about the Why and How of processing data – as you may know, Consent and Legitimate Interests are just two of six lawful ways of processing data.

Paul: Thanks J. So when we say “six Lawful ways”, what do we mean by this and where can people find more information?

J: For an excellent guide on processing data, check out the ICO website. As you’ll see, there are six lawful bases for processing data. I’m not going to go into detail on contracts, vital interests, public task or legal obligation today as they either apply to only a select group of organisations or have not changed significantly since the days of the 1998 Data Protection Act.

What I think is important for everyone though, especially marketing professionals, is to look in some detail at Consent and Legitimate Interest.

Paul: Perfect. So consent is something that I think most people will have heard of but there may be some questions around how it can be gathered, how it can be used and when it’s appropriate. Legitimate Interest is probably a new term for most people so it would be good to look into this in a little detail. Could we start by defining both of these Legal Bases and when they could be useful?

J: Absolutely. Let’s start by discussing Consent. Under the GDPR, consent is one of the six legal bases for processing data. Historically, many organisations have used consent under the 1998 DPA to enable their marketing activities to prospects and customers. They’ve also used consent for digital marketing under the separate PECR rules (commonly known as the Cookie Law and due for an update by the EU in the next couple of years).

Firstly, organisations will need to review both whether their existing consent is adequate under the GDPR and whether consent is the most appropriate ‘legal basis’ for processing personal data for the future. In some circumstances, (for example, in a scenario where personal data is processed for marketing purposes to define an audience but not the actual marketing itself) consent may not be the best legal basis and legitimate interests might be more appropriate. However, where digital marketing is then performed, the PECR rules on consent will apply regardless of which processing ground you are relying on from a GDPR perspective. It is potentially confusing, and we are hopeful that this may be resolved once PECR is replaced with new ePrivacy regulations soon.

Secondly, organisations relying on consent will need to ensure that such consent is positively and freely given – a genuine choice positively signifying agreement, is specific and informed (i.e. not included in small print). Using a marketing scenario again, this means a tick box (or boxes) on your website form to opt into marketing (or another purpose for which you want to use consent). The use of pre-ticked or opt-out boxes for consent are not permitted under the GDPR.

Thirdly, organisations need to be able to evidence consent (for example the time, date, channel and privacy policy under which that consent was granted) and where historic consent cannot be evidenced, refresh it to match the GDPR requirements.

On top of these three steps, it’s also important that individuals can withdraw consent easily and that the statements used to explain why you need consent are clear and concise. A more detailed list of considerations is available on the ICO website.

Whilst consent under the GDPR is an obvious way of lawfully processing data, care should be taken as to when it’s relied upon – it would be easy for individuals to become bombarded for consent requests when in fact another lawful basis would be more appropriate. Consent under the GDPR is no more valid than any other processing ground, and whether it is valid will depend on the circumstances.

Before I move on, one final link to an excellent blog by the ICO.

Paul: Thanks J. Could you expand a little more on Legitimate Interests?

As with consent, I’ll guide you to an excellent overview from the ICO and their latest guidance.

Firstly, it’s worth calling out that the ‘Legitimate Interests’ that we’re talking about here can be those of the individual, your organisation or a third party (such as society as a whole). The challenge for organisations is to balance the interests of that organisation (or 3rd party) against the interests, rights and freedoms of the individual. You should also be able to demonstrate that the processing is necessary in order to achieve the defined outcome (i.e. the Legitimate Interest).

These balancing tests (or Legitimate Interests Assessments) should help your organisation to understand whether a particular use of personal data can be filed under Legitimate Interests, whether the data is actually necessary and appropriate for the purpose (e.g. do we really need someone’s date of birth if we’re not delivering age-related products or services?) or whether another basis such as Consent or Contract is more applicable.

If Legitimate Interests can be relied upon, it’s also going to be important to explain this clearly and concisely in your privacy policy and give the individual the option to object to that processing. The ICO also give some useful information on when legitimate interests can be used in a marketing context and how related e-privacy laws work alongside the GDPR.

Just to conclude, it’s up for each organisation to decide which lawful basis to use. Regardless, recording and tracking this will be as important as enabling the individual to understand your choices and, where necessary, remove consent or challenge another lawful basis.

Paul: So with six lawful bases and many decisions to be taken, what would you recommend to an organisation looking to determine the right approach for them under the GDPR?

J: Just like an organisation needs a strategy to secure data and govern data, they need a strategy around how they manage the lawful bases – a permissions strategy if you will.

This is important for a range of reasons. Let’s look at one that actually comes from the common questions I hear, namely: “How do we remove an individual from processing if they object to Legitimate Interests?”

As you may know, the GDPR contains the Right to restrict processing and the Right to object in certain circumstances. If you’re using Legitimate Interests to process personal data, do you have an internal process and the supporting technology to ensure you can stop the processing of an individual’s data and track any objections they make if your legitimate interests are challenged by the individual? In the event of an objection to direct marketing, the GDPR requires this objection to have effect without undue delay. Is your marketing platform able to process removal of consent or the flagging of an objection against legitimate interests in an efficient and auditable manner?

Making all of this possible internally is challenging – making the process for objecting available to the individual directly is potentially even more complex. This is where the combination of strategy, data and technology comes in. With so much work having been done to prepare for the GDPR, I think it’s critical that organisations look at how they use each of the six Lawful Bases for processing data and ensure that their business and technology stack is ready to support the choices they make now that it’s in force.

Paul: Wonderful. Thanks J. I’m certain that this will help organisations begin to have those conversations in-house.

In the next edition of this series, I’ll be digging into consent and how dealing with historic consent data is an important step toward a Permissions Strategy.

If you’d like to know more about how you can prepare your contact, consent and permissions data for a wider permissions strategy or the Consentric platform by MyLife Digital, please contact us or download the webinar we recorded on Consent and Data Quality for the GDPR.