Jeff Sanchez, Protiviti Managing Director, and Diana Candela, Protiviti Associate Director
One of the key provisions of the European Union’s new General Data Protection Regulation (GDPR) is that the processing of personal data of a data subject requires a legal basis to process that data. While organizations initially turned to consent first as their legal basis, more organizations are now considering the circumstances under which they might be able to assert ‘‘legitimate interest’’ in lieu of consent. The choice of whether to go with consent or legitimate interests is process-specific and should not be made lightly.
This article explores the legal concepts of consent and interest in the context of GDPR and offers advice on how organizations should approach deciding between them.