October 2, 2023
Triggered by security cameras sending data to Tik Tok, consumer champion Which? recently investigated common home device companies for their collection of consumers’ personal data via so-called “smart products”. Many consumers may be surprised at the information their home appliances are collecting about them. For example, data tracking is programmed into smart washing machines and some providers require individuals set up an account and provide their name, date of birth or even their location. Under the UK GDPR, businesses should not collect any more data than the minimum required to carry out their function. In light of that, it is difficult to understand on what basis a washing machine is legitimately collecting that information.
Which? has called for the Information Commissioner’s Office (ICO), the organisation responsible for upholding information rights and data privacy for individuals within the UK, to “crack down on data collection by manufacturers and marketing firms that appears to go beyond legitimate interests”.
Whilst “legitimate interests” is the most flexible of the bases for processing personal data, it can’t be relied on as a blanket authority for all data processing.
So how do you ensure your business is not falling foul of the UK GDPR? We’ve re-capped the three-part test when undertaking a legitimate interest assessment, as found in Article 6(1)(f) of the UK GDPR to help you in your decision-making:
Is there a genuine legitimate interest behind the processing?
This can be a commercial purpose or an individual interest. Examples included in the UK GDPR include use of client or employee data, which would involve regular processing, or fraud prevention, which might include one-off processing by sharing the data with a third party.
As a general rule of thumb, consider whether the individual who has given you their data would reasonably expect you to use their data in the way you are proposing.
It is useful to consider what benefits your company is expecting to get from the processing including any specific business objectives, whether such processing is common for your type of business, and whether any third parties’ benefit from the processing. Also consider how important those benefits are, and whether there are any wider, ethical concerns as to processing the data.
Is it necessary to process the personal data in order to achieve your intended goals? Could you achieve the same goal by different means?
An overarching principle in the data protection legislation is that all processing of personal data must not go further than is necessary to achieve the purpose. In particular, be mindful of any legacy data-gathering forms you provide to customers and clients and ensure that you are not obtaining information which you don’t need to fulfil your purpose.
The ICO notes that if you find it difficult to explain how the processing achieves your objective or there are alternative methods available to you, then you may need to revisit whether you have a genuine legitimate interest in the proposed data processing.
Is your legitimate interest overridden by the individual’s interests, rights or freedoms?
Will it cause the individual, whose personal data is being processed, any unjustified harm or cause them to lose control over their personal data?
This final step of the test does not mean that the interests of the business and individual must match or be simultaneously achieved, just that if there is any conflict, the business must be able to clearly justify why its interests prevail. It is a balancing act. If there is a conflict to a large extent, the individual’s interests may take priority.
The more significant the risks to the individual, the more compelling the justification for relying on the “legitimate interests” ground should be and the more a business should consider documenting the decision and risk mitigation measures.
If you’re unsure whether your intended data processing can be justified under the legitimate interest’s ground, please contact a member of our corporate team, Stephen Thompson via email on sthompson@darwingray.com or via telephone on 029 2082 9136 for a free initial chat to see how we can help you.