Join Audit Leaders TeamMate
EQA

GDPR: Consent and legitimate interests

Guest blog by John Chesshire CFIIA CISA QIAL CIA  |  16 March 2018

The idea of consent, and its main role as one potential lawful basis for processing, is not new. The definition and role of consent remains similar to that under the current Data Protection Act 1998 (DPA). The Data Protection Directive defines consent as 'any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.'

However, the GDPR develops the DPA standard of consent in several areas and sets a higher standard for consent. The GDPR defines consent in Article 4(11) as 'any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.'

According to the Information Commissioner's Office (ICO), the rationale is that 'consent means offering individuals real choice and control in respect of their personal data. Genuine consent should put individuals in charge, build customer trust and engagement, and enhance your reputation.'

Is consent the most important Lawful Basis for processing?

It is important to note that there is no hierarchy of lawful bases for processing personal data: all are equally valid. Controllers may choose a different lawful basis for different processing activities. The most appropriate lawful basis will depend on the personal data being processed and the purposes for processing. Legitimate interests may be considered where:

  1. Another lawful basis is not available due to the nature and/or scope of the proposed processing, or
  2. Where there are a number of lawful bases that could be used but legitimate interests is the most appropriate        

The ICO suggest that organisations:

  1. Check consent practices and existing consents. Refresh your consents if they don’t meet the GDPR standard.
  2. Consent requires a positive opt-in and organisations should not use pre-ticked boxes or any other method of default consent.
  3. Require a very clear and specific statement of consent to ensure explicit consent.
  4. Keep consent requests separate from other terms and conditions.
  5. Be specific and ‘granular’ so that they get separate consent for separate things. Vague or blanket consent is not enough.
  6. Be clear and concise.
  7. Name any third party controllers who will rely on the consent.
  8. Make it easy for people to withdraw consent and tell them how.
  9. Keep evidence of consent – who, when, how, and what you told people.
  10. Keep consent under review, and refresh it if anything changes.
  11. Avoid making consent to processing a precondition of a service.
  12. Public authorities and employers will need to take extra care to show that consent is freely given, and should avoid over-reliance on consent.

Legitimate interests is concerned with the most flexible, lawful basis for processing personal data. The ICO suggest that: 

  1. It is likely to be most appropriate where organisations use people’s data in ways they would reasonably expect, and which have a minimal privacy impact, or where there is a compelling justification for the processing.
  2. If your organisation chooses to rely on legitimate interests, it is taking on extra responsibility for considering and protecting people’s rights and interests.
  3. Public authorities can only rely on legitimate interests if they are processing for a legitimate reason other than performing their tasks as a public authority.
  4. There are three elements to the legitimate interests’ basis. It helps to think of this as a three-part test. The organisation needs to:
    • identify a legitimate interest
    • show that the processing is necessary to achieve it
    • balance it against the individual’s interests, rights and freedoms.
  5. The legitimate interests can be the organisation’s own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.
  6. The processing must be necessary. If it can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply.
  7. The organisation must balance its interests against the individual’s. If the individual would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override the organisation’s legitimate interests.
  8. The organisation should keep a record of its legitimate interests assessment (LIA) to help it demonstrate compliance if required.
  9. The organisation must include details of its legitimate interests in your privacy notice.

As internal audit we could usefully assess how our organisations shape up in each of these areas as part of our current assurance or advisory work over GDPR preparations.


Read the ICO's draft GDPR consent guidance

Content reviewed: 8 May 2019