GDPR and Legitimate Interest

The EU GDPR  is finally here… The major challenge today for most organizations is on how to implement its requirements, unfortunately it does not end here. In fact, it has upstretched to an ongoing discussion about the clarity towards B2B and B2C marketing, especially given the risk-based approach to compliance that is mandated by the GDPR.

Being in the data industry for over 10+ years, SMARTe is a veteran when it comes to customer data handling. “Privacy First” has been our mantra long before GDPR came into existence. We have been diligently working on the new applied regulation to create cognizance among our customers and prospects to ensure that our own process and required compliances are in sync with the GDPR law. In the current scenario, there is lot of ambiguity with regards to ‘Consent’ and ‘Legitimate Interest’ and a lot of misconceptions are the talk of town about the concept of lawful basis. We have tried to outline our understanding and the key points that sales, marketing as a team should consider as they start on the journey to EU GDPR compliance, and how SMARTe can help them!

The first thing to know is whether–and to what extent–the GDPR law is applicable to you. The GDPR applies to ‘controllers’ and ‘processors’. You as a ‘Controller’ regulates the purposes and means of processing personal data while as a ‘Processor’ (we) are responsible for processing personal data on behalf of the controller.

As per ICO, GDPR is more specific about the information you need to provide to people about what you do with their personal data. Hence, you will be required to explicate the lawful basis for processing of personal data.

According to GDPR law, there are six lawful bases for communicating with clients and prospects, and they are equally important – Consent, Contract, Legal Obligation, Vital Interest, Public Task, and Legitimate Interest.

Legitimate Interest

ICO states that Legitimate interest is the most flexible of the six lawful bases. It is not focused on a particular purpose and therefore gives you more scope to potentially rely on it in many different circumstances.

It may be the most appropriate basis when:The processing is not required by law but is of a clear benefit to you or others;

• There’s a limited privacy impact on the individual;

• The individual should reasonably expect you to use their data in that way; and

• You cannot, or do not want to, give the individual full upfront control (ie consent) or bother them with disruptive consent requests when they are unlikely to object to the processing.

SMARTe takes into account “the interests or fundamental rights and freedoms of the data subject which require the protection of personal data”, and check they don’t override interests.

We comply with Article 6(1)(f) of Recital 47 which is a three-part test a key elements of the legitimate interests

• Purpose test – is there a legitimate interest behind the processing?

• Necessity test – is the processing necessary for that purpose?

• Balancing test – is the legitimate interest overridden by the individual’s interests, rights or freedoms?

We make sure we complete LIA document which consist of – Purpose Test, Necessity test and Balancing Test and capture all the relevant information mention in the test which becomes as the lawful base that can then be showcased to demonstrate to a relevant supervisory authority. It can be used if necessary, that full consideration was given to the interests of all affected parties, including to the potential benefits and harms that could stem from the activity.

Recital 171 of the GDPR reads: “Where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation, so as to allow the controller to continue such processing after the date of application of this Regulation.”

SMARTe legitimate interest procurement process –

GDPR legitimate

Source –