Under the topics of Consent and Legitimate Interest in the upcoming GDPR, performing a balancing test to weigh the reasons a business holds personal data against the data rights of an individual is something marketers, and organisations in general, are going to have to become much more familiar with. Companies will have to make changes to their existing policies and processes in order to meet compliance standards, but just what is a balancing test, and how do you go about it?
A balance testing is one of the three key stages of the Legitimate Interest Assessment, which looks at:
- Legitimate interest - The purpose behind the holding and processing of data
- Necessity - Whether a business can perform its functions without this data
- Balance - Whose interests are supported most by the holding and processing of this data
Legitimate interest is about understanding the purpose for processing personal data and making sure there is a lawful basis to do so. Even in the most obvious and legitimate cases, data controllers will have an obligation to clearly document and explain how personal information is being used, and prove that they meet one of the following legal foundations:
- Contractual obligations of the data subject
- Legal obligations to ensure compliance
- Vital Interests, either for the data subject or another data subject
- Public Interest, usually executed by a legal authority or
- Legitimate Interest
Legitimate interests include:
- Direct Marketing
- Reasonable expectation
- Relevant and appropriate relationship
- Strictly necessary for fraud prevention
- Network and information security
This stage is about proving whether data processing is necessary to reach commercial or business objectives, and comes with the added challenge of working out exactly what ‘necessary’ means.
As it stands, ‘necessary’ isn’t so limited that it’s deemed ‘essential’, but then it’s not as wide a definition as ‘useful’ or ‘reasonable’ - which has led to some suggesting it might be easier to ask: ‘Is there another way of achieving the identified interest?’
- If there is not, then processing can be deemed necessary
- If there is, but the effort required is disproportionate, you can also assume necessity
- If there are multiple ways to achieve the same objective, a Data Protection Impact Assessment (DPIA) should be carried out to identify the least intrusive means
- If the processing is deemed unnecessary, then legitimate interest cannot be relied on as a lawful basis, and any data held under this foundation must be securely removed
Data controllers can only rely on a genuine legitimate interest when the rights and freedoms of the individual have been taken into consideration and are not seen to be overridden by the controller’s interest.
To make this assessment controllers must look at:
The nature of the interest - This explores whether an individual would (or should) expect some degree of processing, what type of data you could reasonably expect to be used, whether that information requires additional protection, and the nature of interest – whether it’s in the individual’s interest and offers some value or convenience, or benefits the business more.
The impact of processing - This looks at the status of both the individual and data controller. It weighs up how data is processed, and whether there are any positive or negative impacts created for the individual, how severe those impacts might be, how justified it is, and whether there is any bias or prejudice on the part of the data controller.
The safeguards in place - This could be a range of compensation controls to help protect the individual’s data and data rights, or include built-in features such as:
- Data minimisation
- Privacy by design
- Adding extra transparency
- Additional layers of encryption
- Multi-factor authentication
- Data retention limits
- Restricted access
- Opt-out options
- Anonymisation and pseudonymisation
Safeguarding is particularly important when the personal data relates to children or special categories where extra care should be taken with the balancing test, as it can lend additional weight to the rights of the individual in question.
What happens if a balancing test does not go in favour of the controller?
If the Legitimate Interest Assessment leads to a negative outcome and the controller cannot rely on Legitimate Interests for the processing operation, they can take steps such as reducing the scope, refining the nature of the processing operation, or putting compensating controls in place. Once in place, they can re-apply the balancing test to see if they get a more favourable result.
If changes aren’t practical, the controller will need to find an alternative legal basis or agree not to process the data at all. In such cases, the business will need to have the IT systems in place that can accommodate withdrawal of the process and/or the data. If the company persists with data processing despite failing the balancing test, by May 2018 they may very well face some crippling fines.
Striking the right balance is an integral part of the processes, and the bottom line is that any business that can’t find a way to work through the steps and meet the requirements, will have to take a step back and rethink their plans.
This can require seeking the advice of an external party who can take an unbiased look at your current policies and systems, and a certified GDPR consultant is perfectly placed to find solutions to these kinds of problems.
At pebble.it, we help businesses with their IT and technology needs to ensure they have the most efficient and effective route to market, and with extensive knowledge of GPDR and what it means to companies who want to keep talking to customers, we can marry the two and help you move forward without fear of regulatory repercussions.
As certified GDPR experts, pebble.it can help you meet GDPR compliance across your organisation, assessing what you have and what you need to do to avoid the risk of regulatory fines.
Discover the steps that will put you on the road towards compliance and how we can help you get there by downloading our GDPR-readiness checklist: