Insights
INSIGHTS
All Topics
GDPR for charities: what is legitimate interest?
04 Jun 2021by Joe Lepper
Crucial to charities’ compliance with data protection law is the phrase ‘legitimate interest’. But what does it mean and how can it help protect beneficiaries, stakeholders, and donors?
Charities need to be aware of the phrase ‘legitimate interest’ when complying with data protection law.
To ensure the information and data of donors, staff, beneficiaries, and other stakeholders is protected, charities are bound by the EU’s General Data Protection Regulation (GDPR).
Even though the UK has now left the EU, GDPR has been incorporated into UK data protection legislation. GDPR still applies along with the UK’s Data Protection Act of 2018.
Defining legitimate interest
Crucial to GDPR is the concept of ‘legitimate interest’ when processing data. Charities and other organisations have a legal reason to process personal data that is lawful, fair, and transparent, according to the data protection regulator, the Information Commissioner’s Office (ICO).
The ICO points out that the phrase ‘legitimate interest’ offers organisations flexibility, as it is not focused around one particular purpose for using data. As long as it is lawful, fair, and transparent, its use is legitimate according to GDPR.
Three-part test of legitimate interest
Under the legitimate interest provision of GDPR a three-part test is provided in the legislation to help organisations such as charities ensure they are legitimately processing data.
The ICO recommends applying the following three questions when considering the legitimacy of processing data:
- Purpose test: Is there a purpose to processing the data?
- Necessity test: Is the processing of data necessary for that purpose?
- Balancing test: Is the legitimate interest at odds with the individual’s interests, rights, or freedoms?
In proving ‘legitimate interest’ of handling data, charities must show they have a clear and specific benefit or outcome in mind. It may not be enough to rely on vague or generic interests.
Instead, charities should pinpoint what the specific purpose is, such as having a legitimate interest to market their brand or campaign to increase donations.
When is it ‘lawful’ to process data?
The legislation offers further help by defining what it means by ‘lawful’ processing of data. This is in Article 6.1 of GDPR.
Lawful use of data focuses on whether the data used has the consent of the person or organisation involved, or is necessary to fulfil the legal requirements of a contract.
Other lawful uses include around security, to protect the organisation, stakeholders, and beneficiaries. According to the ICO, this can include preventing fraud. Protecting beneficiaries and the organisation from criminal acts and wider threats to public security are also ‘legitimate interests’.
It is worth pointing out that using data in the public interest is also considered lawful.
Related Articles
Legitimate interest in charity marketing
Marketing is one of the main areas where charities need to consider ‘legitimate interest’.
Fortunately, the legislation offers a degree of clarity specifically around direct marketing. It states that “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”.
’Legitimate interest’ needs to be considered if a charity supporter does not wish to receive direct marketing. In this instance, the supporter needs to be able to easily unsubscribe, often by a simple link online. Charities should also allow users to be able to delete their account to remove personal information from their databases.
Another legitimate use of using data in marketing is to personalise a website so that it is tailored to the supporter’s interest to improve their online experience. Improving customer and supporter experience is a ‘legitimate interest’.
Further fundraising advice
The Chartered Institute of Fundraising and the Fundraising Regulator have produced further guidance to charities on how ‘legitimate interest’ impacts on their fundraising operations.
The guidance stresses the flexibility of ‘legitimate interest’, especially as a lawful basis for processing data in direct marketing. Their guidance states: “Legitimate interest is the most flexible lawful basis for processing and is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact.”
But it adds that ‘legitimate interest’ is not a valid lawful basis for electronic marketing, through email and text messages or calls to numbers that are registered with the Telephone Preference Service (TPS) – the official ‘do not call’ register for landline and mobile numbers.
This is because there are specific rules for electronic communications, where different legislation, the Privacy and Electronic Communications Regulations (PECR), applies.
“However, you can rely on legitimate interests for marketing channels not subject to PECR (such as post and live telephone calls to numbers not registered with the TPS as long as no objection has been made in the past)”,
Although charities “must be able to show that how you use people’s data is proportionate and has a minimal privacy impact, and that individuals would not be surprised or likely to object”, the guidance adds.
Joe Lepper
Joe Lepper
More on this topic
Related Content
Recommended Products
08 Nov 2024by Laura Stanley
Artificial intelligence: Responsible use for charitiesSponsored Article
31 Oct 2024by Laura Stanley
What cyber certification can do for charitiesSponsored Article
30 Oct 2024by Jane Waterfall
A charity guide to maintaining Cyber Essentials all year roundSponsored Article
Our Events
Charity Digital Academy
Our courses aim, in just three hours, to enhance soft skills and hard skills, boost your knowledge of finance and artificial intelligence, and supercharge your digital capabilities. Check out some of the incredible options by clicking here.
© 2022 Charity Digital Trust. All rights reserved
