The Information Commissioner’s Office has published new guidance explaining how an organisation can use legitimate interest as the basis for processing data.
The new guidance is part of the regulator’s wider GDPR. It says legitimate interest is one of six bases, and applies when you need to use some data in order for your business to function.
It can be used in some circumstances to justify fundraising when an organisation does not have opt-in consent. The ICO says it is likely to apply as the basis for direct marketing, and gives an example of when it might be used by a fundraiser.
The guidance says legitimate interest is not necessarily applicable when contacting individuals via text or email, which require you to have opt-in consent, because they are governed by the Privacy and Electronic Communications Regulation.
The ICO says legitimate interest may be the most appropriate basis to use to process an individual’s data when:
- The processing is not required by law but is of a clear benefit to you or others
- There’s a limited privacy impact on the individual
- The individual should reasonably expect you to use their data in that way
- You cannot, or do not want to, give the individual full upfront control (ie consent) or bother them with disruptive consent requests when they are unlikely to object to the processing
If you use legitimate interest as the basis to process data, the guidance says, you must perform a “balancing test” to identify the value to your organisation against the disruption to the individual.
Example of legitimate interest
The ICO has given a worked example of how legitimate interest should be used for fundraising, as below:
A charity wants to send fundraising material by post to individuals who have donated to them in the past but have not previously objected to receiving marketing material from them.
The charity’s purpose of direct marketing to seek funds to further its cause is a legitimate interest.
The charity then looks at whether sending the mailing is necessary for its fundraising purpose. It decides that it is necessary to process contact details for this purpose, and that the mailing is a proportionate way of approaching individuals for donations.
The charity considers the balancing test and takes into account that the nature of the data being processed is names and addresses only, and that it would be reasonable for these individuals to expect that they may receive marketing material by post given their previous relationship.
The charity determines that the impact of a fundraising mailing on these individuals is likely to be minimal however it includes details in the mailing (and each subsequent one) about how individuals can opt out of receiving postal marketing in future.