Data Protection Animation Series: Consent and Legitimate Interests

View on Vimeo | Subtitled version

For processing of personal data to be lawful under the GDPR, you must have selected an appropriate lawful basis from six options:

• the consent of the data subject
• necessary to fulfil a contract, or pre-contractual obligations
• necessary to meet a legal obligation to which the controller is bound (for example, charity regulation)
• necessary to protect life - of the data subject or another person (aka "vital interests")
• necessary for a task carried out in the public interest or under the duty of a public authority (unlikely to apply to charities)
• necessary for purposes within the legitimate interests of the controller or someone else, except where this would be offset by the interests, rights and freedoms of the data subject

There is no order of importance to these lawful bases, but you will need to determine which can apply to each of your organisation's data processing activities.

This needs to be considered and documented in order to satisfy the first data protection principle: personal data must be processed lawfully, fairly and in a transparent manner.

Your choice of lawful basis should be the one that fits best to the circumstances. Ask, why you are using the personal data? And, what you are doing with it?

For example, fundraisers collect and retain Gift Aid declarations to comply with taxation law. In such cases, 'legal obligation' would be the appropriate choice. But there will also be other data processing activities fundraisers carry out where legal obligation is not applicable, so another justification must be sought.

There is no one-size-fits-all approach. What another organisation does will not necessarily apply to your own, so make sure you have considered each case separately.

Don't forget that there are six lawful bases in total (five if you exclude 'public authority'). However, in this article we are going to focus on 'consent' and 'legitimate interests' as they are most relevant to the work of community and voluntary organisations.

What is 'consent'?

In short, consent is permission given by the data subject (the person whom the personal data is about) to allow you to do what you want to do.

However, this is an over-simplified definition. There are many conditions that must be satisfied for consent to be valid. 

Under the GDPR definition, consent must be:

• freely given: there must be a clear choice to give consent. An individual should not suffer detriment or penalty by not consenting for this to be a free choice.
• specific: there must be a clear separation between consent for data processing, and other matters.
• informed: it should be clear that the data subject understands what they are consenting to.
• unambiguous: it must be obvious that an individual has consented.
• clear and distinguishable: the request for consent can't be buried in terms and conditions. "Silence, pre-ticked boxes or inactivity should not constitute consent".
• easy to withdraw: it should be as easy for the individual to withdraw consent as it is to give it, and they should be informed of this right.

If the way in which you have acquired consent does not meet the above definition, it is not valid and your lawful basis is in danger.

Consent can be given by either a statement (which can be written or verbal), or a 'clear affirmative action' (such as ticking a box or actively providing some information).

You must keep records to demonstrate that consent was obtained in the case of each person. While consent can be requested orally, a note of the specific question(s) being asked as well as the data subject's name and time of the conversation should be kept.

"Opt-out" consent is banned by the GDPR. This means that pre-ticked boxes, or a box that must be ticked to retract consent, would be unlawful. 

It must also be possible for someone to withdraw previously given consent, and barriers should not be put in their way to stop them from easily withdrawing the permission.

The ICO gives a detailed Guide to Consent, which covers how it can be applied in many situations. For guidance on children and consent, please read our FAQ.

What is 'legitimate interests'?

There is a rather long-winded definition in the GDPR itself.

In short, legitimate interests is the best lawful basis in a circumstance where:

• there is a clear benefit to you or to someone else (including the individual themselves),
• the person would expect that you use their information in this way, and
• there is a limited privacy impact on the person.

Because it is not restricted to particular situations and avoids requiring consent, legitimate interests is the most flexible lawful basis.

There are a wide range of activities that could qualify for the 'clear benefit' part of legitimate interests: fraud prevention, financial benefit of the organisation, providing a good service and improving service provision.

What is more important is the impact on the individual's privacy of the activity. If the impact is minimal, limited, or in line with the person's expectations, then it is 'on balance'.

The ICO has a detailed Guide to Legitimate Interests.

When can you use legitimate interests?

To help you figure out whether legitimate interest can be applied, you should carry out a Legitimate Interests Assessment.

This is a three-part test which requires you to:

1. identify your legitimate interest
2. show that the processing activity is necessary to achieve that legitimate interest
3. balance the processing activity against the rights and freedoms of the data subject

It is also helpful to keep this assessment where you are using legitimate interests, as it helps to show that you have been accountable and transparent in your decision making.

Our Data Protection Toolkit contains a Legitimate Interests Assessment template.

Wouldn't it just be easier to get consent for everything?

As we have seen, obtaining consent is less than straightforward. Under the GDPR, consent is quite a high bar to meet in all situations.

Yet some organisations do take this approach as it seems to be the most straightforward, and it might appear to reduce the risk of making the wrong choice or overcome confusion in understanding the complexities of the other lawful bases.

However, there are many good reasons where it may not be appropriate to defer to consent as a 'default' lawful basis.

As well the difficulty in meeting the definition of consent in all cases, the practicalities of having to obtain, record and demonstrate that valid consent has been gathered can be time-consuming.

If it is realistic and appropriate to use another lawful basis in the same situation, a lot of unnecessary work will instead be avoided.

When can you not use legitimate interests?

Firstly, you would not use legitimate interests in any situation where the rights and freedoms of the data subject(s) were not in balance with the interest itself.

For example, it may well be in a debt advice charity's interest to share their service users' personal financial data with a market research company, if it unlocked sorely-needed funding. But this is surely not on balance with the rights and freedoms of those people.

Secondly, if it is not necessary to carry out the processing activity to meet the stated purpose, then legitimate interests would not be applicable.

Most people would agree that it is in your legitimate interests to produce promotional material for you counselling service. But it is not necessary to use a photograph of a service user to achieve this purpose (and also unlikely to be on balance with their rights and freedoms). So, in this case, you only real option would be to seek their consent first.

Thirdly, if it were possible to apply a basis such as contract, legal obligation or protecting life, it would be unnecessary to pick legitimate interests as these are clearly more appropriate as a lawful basis.

This is not to say that the use case for legitimate interests is limited—far from it—but first of all it requires careful consideration.

Can we use legitimate interests for marketing purposes?

Please note that some of the guidance in this section may in future be impacted by the EU's yet-to-be-agreed ePrivacy Regulation.

There are other rules which govern electronic direct marketing. These make it unlawful to send electronic marketing without having first obtained permission from the recipient (though there are some exceptions in specific circumstances).

These rules are the Privacy and Electronic Communications Regulations (PECR)—sometimes referred to as 'anti-spam laws'.

The rules apply to any type of marketing that is directed at an individual and is communicated by electronic means: email and SMS/text messaging, phone calls or fax.

Marketing covers more than selling or fundraising appeals. It will cover what the ICO refers to as material "promoting the aims or ideals of not-for-profit organisations". This could include your charity's newsletter, a political campaign, or promoting of local events.

As postal marketing is not electronic, it is not covered by PECR. But as GDPR is relevant to all personal data, the data protection principles apply and a lawful basis is still required. Legitimate interests could be applied in this case and consent avoided, but the three-part test still needs to be satisfied.

There are also some exceptions to the general rule requiring consent for electronic marketing. If someone has paid for a service then the "soft opt-in" option can be used (this does not cover donations to your charity as they are not given in return for services or goods). Business-to-business marketing is also treated differently from marketing to individual subscribers. For more detail on this, please refer to the ICO's Direct Marketing Guidance.

See also:

ICO Lawful basis interactive guidance tool