(Legitimately) interesting times
Fundraiser 1: “There’s light at the end of the tunnel, the guidance is almost here.” Fundraiser 2: “Don’t get excited. I’ve been here before, you’ll wish you were back in the tunnel.” Well, we are out of the tunnel and the Legitimate Interests guidance from the ICO has now arrived.
Available online and to download as a PDF, the 46-page document takes you through what legitimate interest is, checklists to think through, how to rely on it and how to apply it in practice.
Fundraisers have been eagerly waiting for this for months – and there’s always a danger with guidance: you call for it, you want it, and then when you eventually get it you don’t like the guidance that it gives. But, in this case, I think the new ICO Legitimate Interests guidance will be broadly welcomed and will give fundraisers the confidence and reassurance they’ve been longing for.
So, what’s in there that will be particularly interesting for fundraisers?
• No surprises
Overall, the guidance is pretty much what we anticipated. There doesn’t seem to be any gremlins in there, or any nasty surprises. That’s good, and means that the discussions over legitimate interest that have been going on over the last year or so, and the positions that organisations have taken, should still be valid. If you’ve been following guidance from the IoF, from the DPN, or others, you’ll have been going down the right track.
• Legitimate interest is most ‘flexible’ basis for processing, but comes with added duties
That means it can be used in a number of different ways and for different purposes, it’s contextual and non-prescriptive. But, at the same time, as Uncle Ben said to Spider-Man – “with great power comes great responsibility”. Organisations have discretion on using legitimate interest, but you cannot assume it will always be appropriate, and if you want to use that flexibility you also take on extra responsibility for ensuring people’s rights are protected.
• The new accountability principle of GDPR is key to legitimate interest
The ICO describes the biggest change for legitimate interest being the need to document decisions and demonstrate compliance. Yes, this means paperwork. It means having templates, policies, procedures and reviewing these. But that extra work is worth it and needed – the guidance provides helpful directions on how to carry out a legitimate interests assessment and questions to consider which will help.
• There are some ‘red lines’…
You must be clear in your privacy notice to tell people that you are relying on legitimate interest and explain what these interests are. You also have to remember that the right of individuals to object to direct marketing is absolute. And also remember, legitimate interest doesn’t work in all situations or for all processing – don’t forget that PECR sets out the rules for electronic communications … but at the end of the day, organisations have to take their own decisions.
The ICO says there is ‘no magic formula’ for the outcome of the balancing test. It doesn’t work by algorithm – organisations will have to review the relevant information, ask questions, and do a balancing exercise – and then you need to make a decision. There will be an element of subjectivity here, but try to be as objective as possible. At the end of the day you will need to be confident that you are using legitimate interests properly, that the benefits of processing data justify any risks you have identified, and that you are being fair.
For more guidance on GDPR, take a look at our suite of resources
For a more detailed look, have a read of Adrian Beney’s summary
Daniel Fluskey, IoF Head of Policy and External Affairs