The Information Commissioners’ Office (ICO) has published detailed guidance on the use of legitimate interests as the lawful basis for processing.
The guidance sets out details about legitimate interest, when you can use it and how to use a legitimate interest impact assessment (LIA) to determine whether it is lawful for you to process data as a legitimate interest.
Fundamentally there is little change under GDPR in terms of legitimate interest but the GDPR’s principles of transparency and accountability mean you will need to be sure you can demonstrate you’ve carried out an LIA and that it was lawful for use legitimate interest for your processing of data. Ultimately, you will need to be able to demonstrate that:
- no other lawful basis for processing was possible (e.g. if you could ask for consent, then you should ask for consent)
- the processing is necessary
- the processing is not harmful to an individuals’ interests, rights and freedoms
Read the guidance here.