Understand the GDPR legitimate interest vs. consent dilemma

GDPR: Legitimate Interest vs. Consent

Jeff Sanchez, Managing Director Security and Privacy
Diana Candela, Associate Director Security and Privacy

For the past several months organizations around the globe have been updating privacy policies to include their lawful basis for holding and processing a user’s information, in an effort to comply with the European Union’s new General Data Protection Regulation (GDPR). The law, which took effect May 25, 2018, is considered to be among the toughest privacy laws in the world.

One of the key provisions of the law is that the processing of personal data of a data subject requires a legal basis to process that data. While, initially, organizations turned to consent first as their legal basis, more organizations are now considering the circumstances under which they might be able to assert “legitimate interest” in lieu of consent. Legitimate interest is asserted when the processing of data is deemed necessary, and that necessity outweighs any risks to the data subject. If the processor of data cannot claim legitimate interest, it must seek consent or another legal basis to process personal data.


Under GDPR, consent, typically established through user acceptance of data privacy policies, is not open-ended, must be explicit and can only be applied to specific reasonable and known uses. Consent cannot be unilaterally extended to unspecified or unanticipated uses. And data controllers must provide users with both an opt-in and opt-out choices, along with the choice to delete previously collected data (data erasure process). The key challenge with obtaining consent under these conditions is that it is both difficult and expensive to manage.

Legitimate Interest

The legitimate interest provision allows organizations to use personal data without specific consent (or other legal basis), provided they can demonstrate a legitimate purpose and the criticality of personal data processing in achieving that purpose. They must also provide a risk-based assessment of potential data owner impacts, and risk mitigation strategies. In other words, the organization must consider whether it can use a different approach to achieve its goals, without the processing of personal data. If it can, then that processing would be unlawful withoutanother valid legal basis.

The prescribed process for establishing legitimate interest is outlined in recently published guidance from the UK’s Information Commissioner’s Office (ICO). According to the ICO, a data controller must pass these three tests:

  • Purpose test – Is there a legitimate interest behind the processing?
  • Necessity test – Is the processing necessary for the claimed purpose?
  • Balancing test – Is the legitimate interest superseded by the individual’s interests, rights or freedoms?

The ICO has published a sample template with questions to help organizations navigate the legitimate interest assessment (LIA). The assessment process begins with a simple statement describing why the organization needs to process personal data, followed by the benefits it hopes to receive from that data as well as consideration of any ethical issues and the harm that could occur if the processing of that data were curtailed.

Once the purpose has been established, data controllers need to determine whether data processing is required for that purpose, and whether that purpose could be achieved without the data, with less data, or by processing the data in less intrusive ways. In general, organizations must be prepared to demonstrate that legitimate interests outweigh the indirect general interests of data subjects and the processing of the subjects’ data is therefore justified.

Where to Start?

The ICO recommends starting with its Data Protection Impact Assessment (DPIA) checklist, to determine whether a formal DPIA is required. DPIA triggers include special categories of data, including criminal histories and data related to children or other vulnerable groups. Other considerations include the degree to which an individual might expect a company to be processing their data, including within established relationships.

A risk-based assessment should include the potential impacts of personal data processing on the individual, the severity of those impacts, the organization’s willingness to disclose and discuss those potential impacts with the individual, opt-out mechanisms, and any safeguards the organization can adopt to minimize those impacts.

The choice of whether to go with consent or legitimate interests is process-specific and should not be made lightly. Common wisdom suggests that legitimate interest is “cleaner,” in terms of ongoing maintenance, but hard to prove; and consent, though relatively easy to get on a go-forward basis, can be difficult to manage downstream and may also be missing from historical records (e.g., existing contacts in a company’s database who have not provided consent under the current law). In reality, the best approach is going to be determined by the nature of the data being processed, and the purpose the data processing.

Tap into Protiviti’s data privacy resources and bookmark the page for future updates. Also read additional blog posts on The Protiviti View related to GDPR.

Add comment