Understanding Legitimate Interests
Under the UK and EU General Data Protection Regulation (GDPR), organisations are required to justify why they are processing personal data and establish the nature and context of their processing. To do so, they must apply at least one of 6 lawful basis conditions set out in Article 6.
Legitimate interest is one of the 6 lawful bases for processing personal data and it allows organisations to process personal data if it is necessary for their legitimate interests or those of a third party, provided these interests are not overridden by the individual’s rights and freedoms.
Conducting a legitimate interest assessment (LIA) is a crucial step to ensuring that your data processing activities are lawful, maintain transparency and are respectful of individuals’ rights.
Why Conduct an LIA?
While the GDPR does not explicitly mandate an LIA, it is considered best practice and ensures you are able to comply with the Article 5(2) accountability principle by providing documented evidence of your processing decisions. An LIA is, essentially, a risk assessment, with some similarities to a data protection impact assessment (DPIA), although an LIA is intended to be a simpler form of assessment. In some cases, an LIA may reveal the necessity for a DPIA – to learn more about DPIAs and when they are necessary, read our blog on Conducting Data Protection Impact Assessments (DPIAs).
Conducting an LIA helps you to:
- Ensure your processing is lawful and fair – would an alternative Article 6 lawful basis be more appropriate?
- Demonstrate compliance.
- Consider each of the Article 5 principles before processing commences.
- Support your business objectives positively.
- Identify and mitigate risks to individuals’ rights and freedoms.
- Maintain transparency with data subjects.
- Explain your processing clearly and build trust with data subjects.
The Three-Part Test
There are 3 tests that must be satisfied when undertaking a LIA:
Purpose Test: Identify the legitimate interest. For example, it is a legitimate interest of your organisation to promote your goods and services.
Necessity Test: Determine if the processing is necessary to achieve the purpose. Can the business need be achieved in a different way, or by using less personal data, or would the use of personal data reasonably be expected for the purpose by data subjects?
Balancing Test: Assess whether the individual’s interests, rights, and freedoms override the legitimate interest, for example, sending marketing material for business development purposes requires consent under the UK Privacy in Electronic Communications Regulations (PECR).
Step-by-Step Guide to Conducting an LIA
Identify the legitimate interest
Begin by clearly defining the legitimate interest you are pursuing. This could be a commercial interest, a broader societal benefit, or the interests of a third party. Be specific and avoid vague or generic purposes. The LIA is designed to balance your organisation’s needs with the rights of individuals – don’t be pressured by internal stakeholders who may have differing business objectives.
There are many examples of where legitimate interests may be used as the lawful basis for processing, as it is the most flexible of the options available. One common example is where an organisation might wish to process customer data under its ‘legitimate interests’ to improve customer experience or product/service quality.
Important: It is not acceptable to determine that processing is necessary because you have designed your business processes to operate in a particular way.
Assess the necessity of processing
Evaluate whether the data processing is necessary to achieve the identified legitimate interest, and consider whether there are less intrusive means to achieve the same goal, as the processing should always be proportionate, limited and necessary. You will need to record and consider what data categories are collected – could those categories be considered excessive, ‘nice to have’ categories? Will any of those categories include children’s data which will require parental consent, or special category data that will need you to identify a second justification from Article 9?
Conduct the balancing test
Weigh the legitimate interest against the potential impact on the individual’s rights and freedoms such as the right to erasure, right to portability, rights to object to processing likely to cause them harm or distress depending on the nature of the data and the context of the processing. For example, could the proposed processing lead to excessive profiling? Have you considered the relationship you have with your data subjects? Is the data used current or historic? If the data to be used was collected for another purpose, will the new processing be compatible with the reasons it was originally collected?
You should also consider:
- Why you want to process the data
- Any potential unethical or unlawful use of the data
- What are you trying to achieve
- Who benefits from the processing and why
- The impact if you could not go ahead.
Document your LIA
Record the findings of each test in a detailed document. There are templates for this available from the UK Information Commissioner’s Office (ICO) and other GDPR regulators. Your document should include:
- The purpose of the processing
- The necessity of the processing
- The outcome of the balancing test
- Any measures taken to mitigate risks to individuals.
Implement safeguards
Based on the outcome of your LIA, implement appropriate safeguards to protect individuals’ rights and freedoms. This could include data minimisation, anonymisation, encryption, and providing clear privacy notices and opt out measures.
Review and update the LIA
Regularly review and update the LIA to reflect any changes in processing activities, legal requirements, or the context in which the data is processed. This ensures ongoing compliance and addresses any new risks.
Practical Tips for Conducting an LIA
- Engage Stakeholders: Involve relevant stakeholders, including legal, compliance, and data protection officers, to ensure a comprehensive assessment.
- Use Templates: Utilise LIA templates provided by regulatory bodies or industry advisors
- Be Transparent: Communicate the results of the LIA to data subjects through privacy notices and other communication channels.
- Seek Advice: If in doubt, seek professional advice to ensure that your LIA is thorough and compliant with GDPR requirements.
How URM can Help?
Consultancy
With nearly 20 years of experience assisting organisations to comply with data protection legislation, URM is ideally placed to assist your organisation in its efforts to comply with the GDPR by offering a range of GDPR consultancy services, including assistance with LIAs.
We at URM understand that even seasoned data protection professionals sometimes feel uncomfortable about assessing or qualifying risk in relation to the LIA tests. Drawing upon nearly 20 years of experience helping organisations comply with data protection legislation, URM can support you to conduct these assessments in full compliance with the Regulation, or with any other aspect of GDPR compliance.
As well as assisting with LIAs, URM’s large team of GDPR consultants can offer a number of other data protection consultancy services, such as conducting a gap analysis of your organisation’s processing against the requirements of the Regulation to help identify where you are and are not currently compliant. We can also offer a virtual data protection officer (vDPO) service, which provides you with access to an entire team of data protection practitioners, each with their own specialised area of GDPR consultancy. For assistance with other compliance documentation, our experts can support you to develop your records of processing activities (ROPA), and with conducting data protection impact assessments (DPIAs) and data transfer impact assessments (DTIAs). Meanwhile, if your organisation receives a data subject access request (DSAR), our experts can help you process the DSAR request in full compliance with the Regulation by applying the necessary redactions and ensuring the only information provided to the data subject is information they have a right to access.
Training
For those who would like to enhance their own data protection knowledge and skillset, URM regularly runs a range of data protection training courses, each of which are led by a highly qualified and experienced data protection practitioner. If you would like to learn how to undertake key compliance activities, URM runs half-day training courses on conducting DPIAs and conducting DTIAs, as well as a 1-day ‘How to Manage DSARs’ course where you will learn how to compliantly respond to a GDPR DSAR. Meanwhile, to gain an industry-recognised qualification, URM regularly runs the BCS Foundation Certificate in Data Protection (CDP) training course, which will fully prepare you to sit and pass the BCS examination.
URM can offer a host of consultancy services to improve your DP policies, privacy notices, DPIAs, ROPAs, privacy notices, data retention schedules and training programmes etc.
By attending URM’s online BCS Foundation Certificate in Data Protection course, you will gain valuable insights into the key aspects of current DP legislation including rights of data subjects and data controller obligations.
If uncertain, URM is able to conduct a high-level GDPR gap analysis which will assist you understand your current levels of compliance and identify gaps and vulnerabilities.
URM’s blog compares the Government’s new Data (Use and Access) Bill with the previous Government’s DPDI Bill, & how it may alter the UK GDPR when it is passed.
Is there a catch-all international standard that effectively proves external verification of data protection compliance?
There is some confusion about the difference between personal data and sensitive personal data and even whether sensitive personal data exists as a term!