The EU General Data Protection Regulation is finally here, and while its arrival has been long awaited, the discussion on how to implement its requirements does not end here. In fact, this is likely to be the start of an ongoing discussion for years to come, especially given the risk-based approach to compliance that is mandated by the GDPR.
Out of all six legal bases for processing offered by the GDPR, two in particular have stood out—consent and legitimate interests—and a question we have commonly heard at OneTrust is: which of these should I rely on for the purpose of sending direct marketing emails? This is a difficult question to answer, and as most lawyers will tell you: “it depends.”
At OneTrust, we have discussed the topic of legal basis with countless organizations as they have prepared for, and implemented, the GDPR. Under the GDPR, one of the ways in which personal data may be processed is where the “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”1 Implicit in this legal basis, and in combination with Article 5’s ‘accountability’ principle, is the need to document a legitimate interests assessment (LIA).
The UK Information Commissioner’s Office (ICO) breaks this down into a three-part test:
- Purpose test: are you pursuing a legitimate interest?
- Necessity test: is the processing necessary for that purpose?
- Balancing test: do the individual’s interests override the legitimate interest?
The completed LIA can then be used to demonstrate to a supervisory authority, if necessary, that full consideration was given to the interests of all affected parties, including to the potential benefits and harms that could stem from the activity.
It is true that legitimate interests provides flexibility to data controllers, but it is important to note that with flexibility comes risk that a supervisory authority might disagree with your LIA and thus your reliance on legitimate interests as a legal basis for a given processing activity. Therefore, reliance on legitimate interests requires a certain level of comfort with uncertainty.
Consent, on the other hand, can provide a great deal more certainty. To put it simply, consent is a data subject’s indication of agreement to the processing of their personal data, and thus putting control in the hands of the data subject.
Consent has historically been one of the most common legal bases relied upon for the processing of personal data. However, under the GDPR, additional conditions will need to be met, making consent more difficult to rely on as a legal basis for processing. Under Article 4(11) of the GDPR, consent is defined as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
Additionally, under Article 7(1), data controllers must also be able to “demonstrate that the data subject has consented to processing of his or her personal data” and according to the Article 29 Working Party “[c]ontrollers are free to develop methods to comply with this provision in a way that is fitting in their daily operations.”2
According to the WP29, one way of doing this is to “keep a record of consent statements received” in order to show how and when consent was obtained, what information was provided to the data subject, and the workflow behind ensuring that the consent included each of the requisite elements.3 This could mean “retain[ing] information on the session in which consent was expressed, together with documentation of the consent workflow at the time of the session, and a copy of the information that was presented to the data subject at that time”4 and consent management tools can assist with generating and managing such records.