Crucial to charities’ compliance with data protection law is the phrase ‘legitimate interest’. But what does it mean and how can it help protect beneficiaries, stakeholders, and donors?
Charities need to be aware of the phrase ‘legitimate interest’ when complying with data protection law.
To ensure the information and data of donors, staff, beneficiaries, and other stakeholders is protected, charities are bound by the EU’s General Data Protection Regulation (GDPR).
Even though the UK has now left the EU, GDPR has been incorporated into UK data protection legislation. GDPR still applies along with the UK’s Data Protection Act of 2018.
Crucial to GDPR is the concept of ‘legitimate interest’ when processing data. Charities and other organisations have a legal reason to process personal data that is lawful, fair, and transparent, according to the data protection regulator, the Information Commissioner’s Office (ICO).
The ICO points out that the phrase ‘legitimate interest’ offers organisations flexibility, as it is not focused around one particular purpose for using data. As long as it is lawful, fair, and transparent, its use is legitimate according to GDPR.
Under the legitimate interest provision of GDPR a three-part test is provided in the legislation to help organisations such as charities ensure they are legitimately processing data.
The ICO recommends applying the following three questions when considering the legitimacy of processing data:
In proving ‘legitimate interest’ of handling data, charities must show they have a clear and specific benefit or outcome in mind. It may not be enough to rely on vague or generic interests.
Instead, charities should pinpoint what the specific purpose is, such as having a legitimate interest to market their brand or campaign to increase donations.
The legislation offers further help by defining what it means by ‘lawful’ processing of data. This is in Article 6.1 of GDPR.
Lawful use of data focuses on whether the data used has the consent of the person or organisation involved, or is necessary to fulfil the legal requirements of a contract.
Other lawful uses include around security, to protect the organisation, stakeholders, and beneficiaries. According to the ICO, this can include preventing fraud. Protecting beneficiaries and the organisation from criminal acts and wider threats to public security are also ‘legitimate interests’.
It is worth pointing out that using data in the public interest is also considered lawful.
Marketing is one of the main areas where charities need to consider ‘legitimate interest’.
Fortunately, the legislation offers a degree of clarity specifically around direct marketing. It states that “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”.
’Legitimate interest’ needs to be considered if a charity supporter does not wish to receive direct marketing. In this instance, the supporter needs to be able to easily unsubscribe, often by a simple link online. Charities should also allow users to be able to delete their account to remove personal information from their databases.
Another legitimate use of using data in marketing is to personalise a website so that it is tailored to the supporter’s interest to improve their online experience. Improving customer and supporter experience is a ‘legitimate interest’.
The Chartered Institute of Fundraising and the Fundraising Regulator have produced further guidance to charities on how ‘legitimate interest’ impacts on their fundraising operations.
The guidance stresses the flexibility of ‘legitimate interest’, especially as a lawful basis for processing data in direct marketing. Their guidance states: “Legitimate interest is the most flexible lawful basis for processing and is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact.”
But it adds that ‘legitimate interest’ is not a valid lawful basis for electronic marketing, through email and text messages or calls to numbers that are registered with the Telephone Preference Service (TPS) – the official ‘do not call’ register for landline and mobile numbers.
This is because there are specific rules for electronic communications, where different legislation, the Privacy and Electronic Communications Regulations (PECR), applies.
“However, you can rely on legitimate interests for marketing channels not subject to PECR (such as post and live telephone calls to numbers not registered with the TPS as long as no objection has been made in the past)”,
Although charities “must be able to show that how you use people’s data is proportionate and has a minimal privacy impact, and that individuals would not be surprised or likely to object”, the guidance adds.