How to Conduct a Legitimate Interest Assessment (LIA)

Under the UK and EU General Data Protection Regulation (GDPR), organisations are required to justify why they are processing personal data and establish the nature and context of their processing.  To do so, they must apply at least one of 6 lawful basis conditions set out in Article 6.

Legitimate interest is one of the 6 lawful bases for processing personal data and it allows organisations to process personal data if it is necessary for their legitimate interests or those of a third party, provided these interests are not overridden by the individual’s rights and freedoms.

Conducting a legitimate interest assessment (LIA) is a crucial step to ensuring that your data processing activities are lawful, maintain transparency and are respectful of individuals’ rights.

While the GDPR does not explicitly mandate an LIA, it is considered best practice and ensures you are able to comply with the Article 5(2) accountability principle by providing documented evidence of your processing decisions.  An LIA is, essentially, a risk assessment, with some similarities to a data protection impact assessment (DPIA), although an LIA is intended to be a simpler form of assessment.  In some cases, an LIA may reveal the necessity for a DPIA – to learn more about DPIAs and when they are necessary, read our blog on Conducting Data Protection Impact Assessments (DPIAs).

Conducting an LIA helps you to:

• Ensure your processing is lawful and fair – would an alternative Article 6 lawful basis be more appropriate?  
• Demonstrate compliance.
• Consider each of the Article 5 principles before processing commences.
• Support your business objectives positively.
• Identify and mitigate risks to individuals’ rights and freedoms.
• Maintain transparency with data subjects.
• Explain your processing clearly and build trust with data subjects.

There are 3 tests that must be satisfied when undertaking a LIA:

Purpose Test: Identify the legitimate interest.  For example, it is a legitimate interest of your organisation to promote your goods and services.

Necessity Test: Determine if the processing is necessary to achieve the purpose.  Can the business need be achieved in a different way, or by using less personal data, or would the use of personal data reasonably be expected for the purpose by data subjects?

Balancing Test: Assess whether the individual’s interests, rights, and freedoms override the legitimate interest, for example, sending marketing material for business development purposes requires consent under the UK Privacy in Electronic Communications Regulations (PECR).

‍

Identify the legitimate interest

Begin by clearly defining the legitimate interest you are pursuing.  This could be a commercial interest, a broader societal benefit, or the interests of a third party.  Be specific and avoid vague or generic purposes.  The LIA is designed to balance your organisation’s needs with the rights of individuals – don’t be pressured by internal stakeholders who may have differing business objectives.  

There are many examples of where legitimate interests may be used as the lawful basis for processing, as it is the most flexible of the options available.   One common example is where an organisation might wish to process customer data under its ‘legitimate interests’ to improve customer experience or product/service quality.

Important:  It is not acceptable to determine that processing is necessary because you have designed your business processes to operate in a particular way.

Assess the necessity of processing

Evaluate whether the data processing is necessary to achieve the identified legitimate interest, and consider whether there are less intrusive means to achieve the same goal, as the processing should always be proportionate, limited and necessary.  You will need to record and consider what data categories are collected – could those categories be considered excessive, ‘nice to have’ categories?  Will any of those categories include children’s data which will require parental consent, or special category data that will need you to identify a second justification from Article 9?

Conduct the balancing test

Weigh the legitimate interest against the potential impact on the individual’s rights and freedoms such as the right to erasure, right to portability, rights to object to processing likely to cause them harm or distress depending on the nature of the data and the context of the processing.  For example, could the proposed processing lead to excessive profiling? Have you considered the relationship you have with your data subjects? Is the data used current or historic?  If the data to be used was collected for another purpose, will the new processing be compatible with the reasons it was originally collected?

You should also consider:

• Why you want to process the data
• Any potential unethical or unlawful use of the data
• What are you trying to achieve
• Who benefits from the processing and why
• The impact if you could not go ahead.

Document your LIA

Record the findings of each test in a detailed document. There are templates for this available from the UK Information Commissioner’s Office (ICO) and other GDPR regulators.  Your document should include:

• The purpose of the processing
• The necessity of the processing
• The outcome of the balancing test
• Any measures taken to mitigate risks to individuals.

Implement safeguards

Based on the outcome of your LIA, implement appropriate safeguards to protect individuals’ rights and freedoms.  This could include data minimisation, anonymisation, encryption, and providing clear privacy notices and opt out measures.

Review and update the LIA

Regularly review and update the LIA to reflect any changes in processing activities, legal requirements, or the context in which the data is processed.  This ensures ongoing compliance and addresses any new risks.

‍

• Engage Stakeholders: Involve relevant stakeholders, including legal, compliance, and data protection officers, to ensure a comprehensive assessment.
• Use Templates: Utilise LIA templates provided by regulatory bodies or industry advisors
• Be Transparent: Communicate the results of the LIA to data subjects through privacy notices and other communication channels.
• Seek Advice: If in doubt, seek professional advice to ensure that your LIA is thorough and compliant with GDPR requirements.