GDPR: Legitimate Interest vs. Consent

For the past several months organizations around the globe have been updating privacy policies to include their lawful basis for holding and processing a user’s information, in an effort to comply with the European Union’s new General Data Protection Regulation (GDPR). The law, which took effect May 25, 2018, is considered to be among the toughest privacy laws in the world.

Protiviti has been following this issue closely over the past year and has compiled helpful information on a GDPR microsite. One of the key provisions of the law is that the processing of personal data of a data subject requires a legal basis to process that data. While, initially, organizations turned to consent first as their legal basis, more organizations are now considering the circumstances under which they might be able to assert “legitimate interest” in lieu of consent. Legitimate interest is asserted when the processing of data is deemed necessary, and that necessity outweighs any risks to the data subject. If the processor of data cannot claim legitimate interest, it must seek consent or another legal basis to process personal data.


Under GDPR, consent, typically established through user acceptance of data privacy policies, is not open-ended, must be explicit and can only be applied to specific reasonable and known uses. Consent cannot be unilaterally extended to unspecified or unanticipated uses. And data controllers must provide users with both an opt-in and opt-out choices, along with the choice to delete previously collected data (data erasure process). The key challenge with obtaining consent under these conditions is that it is both difficult and expensive to manage.

Legitimate Interest

The legitimate interest provision allows organizations to use personal data without specific consent (or other legal basis), provided they can demonstrate a legitimate purpose and the criticality of personal data processing in achieving that purpose. They must also provide a risk-based assessment of potential data owner impacts, and risk mitigation strategies. In other words, the organization must consider whether it can use a different approach to achieve its goals, without the processing of personal data. If it can, then that processing would be unlawful withoutanother valid legal basis.

The prescribed process for establishing legitimate interest is outlined in recently published guidance from the UK’s Information Commissioner’s Office (ICO). According to the ICO, a data controller must pass these three tests:

  • Purpose test – Is there a legitimate interest behind the processing?
  • Necessity test – Is the processing necessary for the claimed purpose?
  • Balancing test – Is the legitimate interest superseded by the individual’s interests, rights or freedoms?

The ICO has published a sample template with questions to help organizations navigate the legitimate interest assessment (LIA). The assessment process begins with a simple statement describing why the organization needs to process personal data, followed by the benefits it hopes to receive from that data as well as consideration of any ethical issues and the harm that could occur if the processing of that data were curtailed.

Once the purpose has been established, data controllers need to determine whether data processing is required for that purpose, and whether that purpose could be achieved without the data, with less data, or by processing the data in less intrusive ways. In general, organizations must be prepared to demonstrate that legitimate interests outweigh the indirect general interests of data subjects and the processing of the subjects’ data is therefore justified.

Where to Start?

The ICO recommends starting with its Data Protection Impact Assessment (DPIA) checklist, to determine whether a formal DPIA is required. DPIA triggers include special categories of data, including criminal histories and data related to children or other vulnerable groups. Other considerations include the degree to which an individual might expect a company to be processing their data, including within established relationships.

A risk-based assessment should include the potential impacts of personal data processing on the individual, the severity of those impacts, the organization’s willingness to disclose and discuss those potential impacts with the individual, opt-out mechanisms, and any safeguards the organization can adopt to minimize those impacts.

The choice of whether to go with consent or legitimate interests is process-specific and should not be made lightly. Common wisdom suggests that legitimate interest is “cleaner,” in terms of ongoing maintenance, but hard to prove; and consent, though relatively easy to get on a go-forward basis, can be difficult to manage downstream and may also be missing from historical records (e.g., existing contacts in a company’s database who have not provided consent under the current law). In reality, the best approach is going to be determined by the nature of the data being processed, and the purpose the data processing.

Tap into Protiviti’s GDPR resources and bookmark the page for future updates.

Jeffrey Sanchez

Managing Director
Technology Consulting – Security and Privacy

Diana Candela

Associate Director
Technology Consulting – Security and Privacy

Subscribe to Topics

Protiviti is happy to announce that Wendy Luebbe has joined as a Managing Director for the Technology Consulting Solution. Based in Orlando and with over 20 years of experience, Wendy will focus on the Enterprise Data & Analytics segment, specializing in financial services.

Join Protiviti's Scott Laliberte and Andrew Struthers-Kennedy for thoughts on how organizations should discuss and evaluate risks and include emerging technologies as part of risk and audit reviews.

#ITaudit #ProtivitiTech #emergingtechrisks #prowebinars

Consumer #privacy is key. Protiviti recommends focusing on three buckets and eleven requirements that cover what an organization must consider when developing personal #data privacy protections and have a relationship with #digital #identitymanagement.

Protiviti’s Scott Laliberte hosted a panel with three Chief Information Security Officers on July 11th. While all faced their own distinct pandemic-related issues, many common themes emerged during the discussion. Learn more:

#CISO #ProtivitiTech

Reporting and #analytics are critical for #CIOs because they structure #data to guide businesses in strategic decision making. Learn why companies must harness and use information that propels business goals.

#TechTransformation #enterprisetransformation

Load More...