With all the facts, figures and untruths being flung around we always prefer to default to the ICO.
Recently we linked to their definition of Legitimate Interest.
Today we'd like to link you to the ICO again. This time to explain the difference between Legitimate Interest under GDPR V the DPA 1998.
At least it's factual, rather than guesswork.....
Under the 1998 Act, the processing impact had to be unwarranted due to prejudice to the individual’s interests before it would override your legitimate interests, ie the provision implied a focus on demonstrable harm. However, prejudice is not a term used in the GDPR version of the provision, and it’s clear that this is intended to be wider than a pure harm-based assessment. For example, Recital 47 indicates that if the individual does not reasonably expect the processing, their rights may override your legitimate interests.