IAAF legal helpline provider Lawgistics have advised that the ICO have now produced a document which confirms that legitimate interest is a business-friendly ground for processing data.
As previously advised, business do not need to jump through the consent hoops and reviews to continue to market to existing customers. For example, garages can continue to send MOT reminders to their customer base as long as they offer the customer the option to opt out in every email or text. Further, it is absolutely fine to take a customer’s details and call them back – no separate consent is required, the customer has called you and so is expecting a call back.
The trick to staying on the right side of legitimate interest is to consider the 3 part test, which in plain English requires you to consider:
- why do you want to process the data in question?
- will processing the data help you achieve your purpose and is there a less intrusive way to achieve it?
- would the data subject reasonably expect you to be using their data in this way?
- An employer may ask for next of kin details from their employee so they know who to contact in an emergency. There is no need to ask the individual next of kin for their consent to hold their personal data as it is not unreasonable for such details to be held for health and safety reasons. There is no less intrusive way to be able to contact a relative after an emergency, the impact is minimal and only the line manager and Directors will have the details.
- A business has a problem customer and seeks help from Lawgistics. The business is entitled to seek specialist legal advice and only provides the customer data relative to the case. It is entirely reasonable for a business to seek advice and the customer’s details are looked after by Lawgistics who are GDPR compliant meaning there is minimal risk to the customer.
The key is giving the matter some thought. If it can reasonably be justified, then legitimate interest is your ground of choice – much less hassle and for marketing to existing customers, more likely to keep your marketing list alive as asking for consent may well end up with a limited response.
In summary, legitimate interest is your friend but like all good friendships, it shouldn’t be abused.