“Legitimate interests” is one of six lawful bases under which organisations can process personal data under the GDPR.
The government has proposed changes to it, targeted for inclusion in revisions to the UK GDPR and Data Protection Act 2018 that are expected during the 2022/23 parliamentary session. These changes focus on making it easier for organisations to use this lawful basis, by proposing a list of purposes for which the usual balancing test is not required.
This briefing paper proposes three additional changes that would primarily apply when purposes fall outside the list and organisations have to use the balancing test:
- Enable organisations to process data in the public interest, by adding public interest as a factor to be taken into account in the balancing test
- Increase organisations’ confidence in borderline balancing tests by encouraging them to consult with their customers or community
- Increase trust in organisations that use legitimate interests by requiring transparency about the balancing test and how it was undertaken