GDPR is more than a year old and many companies still are not compliant. In fact, a lot of companies are more confident than they should be about their compliance status.

Although awareness about safe data management has risen, many organisations are struggling to implement effective GDPR procedures. If done properly, businesses can use this opportunity to transform their processes to better serve their own interests and those of their customers.

But that won’t happen without first having a thorough understanding of what compliance could mean for them.

GDPR concerns personal data

Any information you handle that could allow someone to identify an individual, even indirectly, counts as personal data. Pseudonymised data and information with explicit identifiers removed is still covered by GDPR. These measures can’t guarantee anonymity, as someone may be able to extrapolate identities from the details you handle.

For example, Facebook’s data breach in September 2019 revealed the records of 419 million users. This leaked their phone numbers, as well as their Facebook identification. Some records also contained users’ gender and location details. With this, people could be easily identified, which qualifies as a breach of privacy.

This is the kind of information your business needs to ensure is properly protected, so your customers can be confident that you value their privacy.

Streamline your information management

By taking stock of the data you have and properly organising it, your business will feel the benefit, as with any comprehensive asset management.

With less extraneous data to worry about, your information management will be more efficient and anything you store will be easier to safeguard. If you approach compliance properly, your data should become secure, more reliable and more valuable to your business needs.

Most of the six lawful bases that GDPR defines for handling personal data are based on clearly defined boundaries, such as when consent has been given for a specific purpose or when a law requires you to process data in a certain way.

What is legitimate interest?

Legitimate interest is the most flexible lawful basis for processing data.

Applying legitimate interest means you take on more responsibility, as it is dependent on your own judgement about whether your processes are covered by GDPR.

Legitimate interest doesn’t only apply to the interests of the individual whose data in involved. It can also mean your legitimate interest as a business or that of a third party. However, rights or freedoms the individual is legally entitled to take priority. This includes their right to privacy and their right to be forgotten.

If you could reasonably achieve the same result in a less intrusive way, legitimate interest cannot be applied as a lawful basis under GDPR.

How does it apply to the data I handle?

There are many reasons that legitimate interest might be applicable to your processes, with some easier to argue than others.

A very clearly legitimate reason would be fraud prevention – when retaining someone’s data allows you to ensure that no one else is fraudulently using their details. This helps to protect your customers from anything from minor anomalies on their records to identity theft.

A reason that may indicate legitimate interest is for direct marketing purposes. It’s definitely in your interest to communicate with potential customers about your services. However, you still need to show that you’ve taken the interest of the individual into consideration. Your marketing communications need to be relevant to them and you must comply with other privacy rules that may be relevant. You can’t spam someone and call it legitimate interest because they read one email from you many years ago.

Ultimately, no purpose you might offer for why you want to keep someone’s data should override the interests, rights and freedoms of the individual the data pertains to.


Find out how ThreatAware can help manage your compliance and cybersecurity processes by accessing our demo site or signing up for a free trial.