Data is the new gold.
Access to data and the ability to apply, exploit and manipulate that data for economic and commercial advantage will make businesses thrive, stay relevant and gain competitive advantage.
How do companies and businesses maneuver the data in its possession to its advantage in the realm of the Data Protection Legislation?
This Article attempts to explore the obligation cast on the Data Controller to balance the Legitimate Interest of lawful basis of processing data, with the rights, interests and freedom of the Data Subject.
Processing Personal Data on the lawful basis of Legitimate Interest
The European Union’s General Data Protection Regulation (GDPR) defines Personal Data as any information relating to an identified or identifiable natural person (‘Data Subject’).
A Controller is any person who alone or jointly with others determines the purposes and means of processing Personal Data.
Any operation performed on Personal Data such as collection, storage, preservation, alteration, retrieval, disclosure, transmission, making available, erasure, destruction of, consultation, alignment, combination, or the carrying out of logical or arithmetical operations would amount to an act of Processing.
Article 6 1(f) of GDPR articulates that Processing shall be lawful if the processing is necessary for the purposes of the Legitimate Interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedom of the Data Subject which require protection of Personal Data.
The concept of Legitimate Interest is versatile and flexible. To establish the same, there needs to be a relevant and appropriate relationship between the Data Subject and the Controller. Furthermore, the circumstances should provide for the Data Subject to “reasonably expect” at the time and in the context of data collection it can be expected that his Personal Data will be processed for the intended purpose.
The Balancing Test
Companies and businesses need to justify the outcome of Processing Personal Data by weighing the personal rights, interests and freedom of the Data Subject against the Legitimate Interests of the Controller.
If the Data Subject couldn’t reasonably expect such Processing of his Personal Data at the point of data collection, or if such Processing would damage or harm his personal interests, rights or freedom, his interest to protect his Personal Data would most likely override the Legitimate Interest which the Controller is seeking to rely on.
Recital 38 of the GDPR notes that children merit specific protection regarding their Personal Data as, they are less aware of the risks, consequences and safeguards associated with Processing their Personal Data. Therefore, it could be reasoned that the Legitimate Interest of a Controller using the data of children for profiling and direct marketing activities would not be greater than the fundamental rights, interests and the freedom of the child.
On the other hand instances necessitating data Processing by a Controller or a third party for fraud prevention or anti- money laundering activities, controlling information/network security risks or even where an employer undergoing organizational changes as a result of a merger or an acquisition, disclosing employee data with the prospective acquiring company can be perceived as Legitimate Interest of lawful basis of Processing of Personal Data of Data Subjects as they will be having a reasonable expectation that their data is being processed for such purposes.
Legitimate Interest Assessment (LIA)
Controller’s may conduct LIA’ to objectively assess, if Legitimate Interest can be adopted as a lawful basis for Processing Personal Data.
A consideration would be to ascertain the purpose of Processing the data. Another would be the expectation of the Controller. Also, it may be prudent to evaluate the impact and outcome of the Processing and determine if the Processing is necessary and proportionate for the intended purpose of Processing.
Deliberations need to be made on the nature and the sensitivity of data Processed, the probable impact of Processing and the precautions adopted to minimize the negative impact, severity or harm to the Data Subject that could occur in Processing such data.
The LIA can be used as an effective method of keeping a record of the actions taken by the Controller. Furthermore, conforming to the principles of accountability endorsed in Article 5 of the GDPR, it is prudent that the LIA be reviewed in the event there is a significant change in the nature or the context of Processing operations.
Conclusion
The equilibrium is a thin line founded on common sense, facts and circumstances. Protecting your customers data can be a competitive advantage to the business. Therefore, Companies should operationally encourage mechanisms for data protection by design, adopt clear opt out mechanisms empowering data subjects to choose the use of their data, provide for non-excessive retention periods, envisage to set binding corporate rules and adhere to good data governance practices to navigate businesses through the Data Protection legal landscape.
By: Shivandini Liyanage, LLM, MBA, Head Legal -Hemas Holdings PLC
Follow LexTalk World for more news and updates from International Legal Industry.
Commentaires