Legitimate Interests vs Consent: Getting the Lawful Basis Right

by

in

,

Legitimate interests and consent are both valid lawful bases under UK GDPR, but they work very differently in practice, and choosing the wrong one is one of the most common data protection mistakes organisations make. Getting this right matters not just for compliance, but because the two bases give individuals different rights and give the organisation different obligations.

What’s the core difference?

Consent requires a freely given, specific, informed, and unambiguous indication of the individual’s wishes – and it can be withdrawn at any time, as easily as it was given. Legitimate interests, by contrast, doesn’t require the individual’s agreement at all; instead, the organisation carries out and documents a balancing exercise showing that its interest in the processing isn’t outweighed by the individual’s rights and freedoms.

When is consent the right basis?

Consent works best where the individual has a genuine, free choice, and where the processing wouldn’t happen without their active agreement – marketing communications are the clearest example. It is a poor fit where there’s a power imbalance (employment relationships, for instance), where withdrawal of consent would be impractical to act on, or where the processing needs to continue regardless of the individual’s preference for the organisation’s core purpose.

When is legitimate interests the right basis?

Legitimate interests is often the better fit for routine business processing that an individual would reasonably expect – fraud prevention, network security, or straightforward record-keeping, for example. It requires a three-part test: a legitimate purpose, necessity (is this processing actually needed to achieve that purpose), and balancing (does the individual’s interest override the organisation’s). All three need to be documented, not just concluded.

What goes wrong when the wrong basis is chosen?

Relying on consent for processing that will continue regardless of withdrawal creates a compliance gap the moment someone withdraws it – the organisation either has to stop processing (disruptive) or continue anyway (unlawful). Relying on legitimate interests without a genuine, documented balancing exercise leaves the basis vulnerable to challenge, particularly where the processing involves historical data, profiling, or anything an individual might not reasonably expect.

Can the basis be switched later?

Not retrospectively, and not as a workaround for consent being withdrawn. The lawful basis needs to be identified and documented before processing begins; switching it after the fact to avoid the consequences of a withdrawal is generally not permitted and undermines the individual’s right to control their own data.

If you’d like support working through a lawful basis or legitimate interests assessment, see our Data Protection advisory services.