All of our data is GDPR compliant, but it is important to understand exactly what this means. 

Under GDPR laws, there are six conditions that organisations must meet when collecting, storing, and processing data.

Four of these conditions (contractual requirements, legal obligations, vital interests and tasks carried out in the public interest) are easy to understand and verify. However, the latter two (Consent and legitimate interest) are more tricky.

What is Legitimate Interest?

Legitimate interest is the most flexible of the GDPR conditions, and therefore, it is far easier to misunderstand.

Legitimate interest comes into play when an organisation uses data in a way that the data subject would expect, with "interest" referring to a broad range of interests, including third-party commercial interest  or else wider societal benefits. 

Legitimate interest generally, but not exclusively, comes into play when: 

- There is no legal requirement for processing the data, but there is a clear benefit to doing so. 

- There is minimal risk to the data subject's privacy.

- The data subject can reasonably expect their data to be used in such a manner. 

Organisations that make use of legitimate interest must outline thoroughly in their documentation their reasons for doing so. Unless you can justify your reasoning, data subjects will have the right to object to your processing. This can be done through a data subject access request (DSAR). 

If such requests become a pattern, you should ask whether or not your justification for legitimate interest is sound. 

When Does Legitimate Interest Apply? 

As an example of legitimate interest, GDPR laws highlight the following:

- Fraud prevention

- Network and information security

- Criminal acts or threats to public scrutiny. 

Other examples include processing employee or client data, direct marketing and intra-group administrative transfers. 

For most businesses, it is the "direct marketing" use that may be of interest. Recital 47 of the Regulation states that “direct marketing purposes may be regarded as carried out for legitimate interest”. 

Determining Legitimate Interest

When it comes to GDPR, it is better to proceed with caution. If you are uncertain, it is best to take steps to determine legitimate interest. The Internet Commissioner's Office (ICO), the UK's data protection authority, are able to provide checklists, resources and tests to ensure your purpose for storing data is on the right track to fall under legitimate interest laws. 

If you have further questions regarding GDPR compliance, please use our chatbot or file a support ticket for expert advice from our team. 

For more information, please visit IT Governance.