We often get asked how to position, illustrate, and sell products worldwide when everyone still has the General Data Protection Regulation (GDPR) on their mind. We receive so many inquiries, that we decided to create this blog post.
Depending on the use case, processing information as it relates to the security of the organization and its data could fall under something called “legitimate interest.” But what is legitimate interest, and how often can (and should) an organization claim it?
The Origin of GDPR
Before we dive too deep, we should note that legitimate interest existed in the Data Protection Act of 1998, which is better known as the GDPR before the GDPR was born. Yet there were some changes. The Data Protection Act of 1998 stated:
“The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.”
What is Legitimate Interest?
Now that we have some context, let’s dive into our use case. Article 6 Lawfulness of processing Paragraph 1 Subsection (f) of the GDPR states: Processing shall be lawful only if and to the extent that at least one of the following applies:
(f) “Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
Legitimate interest refers to the interest that the company that is processing personal data may have in that processing. The way we interpret this is that an organization has a legitimate interest to process data without explicit consent when it is a necessary part of achieving a controller, third party, or broader audience’s objectives, and it is reasonable to assume there would be minimal privacy impact.
Basically, you have a legitimate interest and can process the data, except when you can’t (which is defined as the interests or fundamental rights and freedoms of the data subject). Of course, the information must still be protected and treated the same (if not more) as any other form of personal data, there must be a lawful basis, and individuals should be made aware of its uses.
For those wondering, the interests or fundamental rights and freedoms of the data subject include physical, material, non-material or any other impact, such as:
- inability to exercise rights (including data protection rights);
- loss of control over the use of personal data; or
- any social or economic disadvantage.
One problem with the ambiguous nature of the GDPR and the layers of text that accompany it is that this can have a different meaning based on the organization and its willingness to defend its actions by taking on the additional responsibilities of adequate protection that legitimate interest claims incur.
Judging by Google’s search predictions, it appears many companies are researching the same questions.
For our use case of net/sec architecture concerns, let’s look at Recital 49:
“The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, (i.e., the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems) by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned.”
Other recitals call out marketing (47), human resources (48), fraud (47), and criminal acts (50) as legitimate interest use cases.
What Legitimate Interest Means for Organizations
What does claiming legitimate interest mean for your organization?
Basically, there will be occasions within your security, marketing, legal, HR, and most other day-to-day operations when you have a justification for processing personal data. This probably means that there may be a more intrusive impact on the individual than allowed by the GDPR. The processing can be warranted and performed without explicit notification and opt-in requirements for every processing of that event.
Legitimate interest processing will help you avoid spamming individuals with unnecessary consent requests for necessary and repetitive processing events, not to mention keep data protection teams focused on day-day operations of protecting both you and your customers’ interests.
Claiming a Legitimate Interest
When an organization processes data with the goal of enhanced network and security operations, per GDPR, that should (not will) constitute a legitimate interest. But this has still not been put to the test in any official capacity, and right now, we must rely on our own theories and those of others to match our justification.
The Article 29 Data Protection Working Party (a group of advisors representing every EU country) adopted this opinion as it related to the GDPR in 2017 during its pre-release evaluation: “In this context, the Working Party also supports the principled approach chosen in the Proposed Regulation of broad prohibitions and narrow exceptions, and believes that the introduction of open-ended exceptions along the lines of Article 6 GDPR, and in particular Art. 6(f) GDPR (legitimate interest ground), should be avoided.”
In lieu of any actionable audit procedures to attest to, you would be smart to detail the legitimate interest objective, including the necessity of the information and the balance of competing party interests outlining how the process operates under use of the least amount of personal data as possible. You should establish and continually update inter-office agreements, data processing agreements, impact assessments, and internal/external facing privacy policies, and ensure that appropriate safeguards are in place to protect the individual’s interests.
When assessing whether to process, store, or otherwise use personal data in a given system, the data protection officer must determine whether it is possible to achieve the intended business goal while maintaining the data privacy rights of the individual (legitimate use decision). Data minimization functions including data masking, de-identification, and other anonymization techniques can assist in limiting personal data exposure. This approach limits personal data exposure but retains the necessary data to achieve the tools’ objectives.
The International Association of Privacy Professionals provides a great deal of legitimate interest resources, including examples, process flows, and an assessment template to use internally and with customers found here. We highly recommend using those resources and allowing customers to discuss the matter within their organizations as to what they constitute as a legitimate interest and how they would like to proceed.
Thanks, GDPR, for another ambiguity fueled conversation. As a precaution, have your counsel on speed dial.
Disclaimer: Always ensure that the customer has consulted with counsel about anything regarding GDPR and has the proper policies, procedures, and protections in place before giving suggestions. At the end of the day, the organization is liable — not you. But the ill will could result in negative impacts for you and your organization.