How to Conduct a Legitimate Interest Assessment (LIA)

Pauline Brace
|
Senior Data Protection and Information Security Consultant at URM
|
PUBLISHED on
13 Sep
2024

Understanding Legitimate Interests

Under the UK and EU General Data Protection Regulation (GDPR), organisations are required to justify why they are processing personal data and establish the nature and context of their processing.  To do so, they must apply at least one of 6 lawful basis conditions set out in Article 6.

Legitimate interest is one of the 6 lawful bases for processing personal data and it allows organisations to process personal data if it is necessary for their legitimate interests or those of a third party, provided these interests are not overridden by the individual’s rights and freedoms.

Conducting a legitimate interest assessment (LIA) is a crucial step to ensuring that your data processing activities are lawful, maintain transparency and are respectful of individuals’ rights.

Why Conduct an LIA?

While the GDPR does not explicitly mandate an LIA, it is considered best practice and ensures you are able to comply with the Article 5(2) accountability principle by providing documented evidence of your processing decisions.  An LIA is, essentially, a risk assessment, with some similarities to a data protection impact assessment (DPIA), although an LIA is intended to be a simpler form of assessment.  In some cases, an LIA may reveal the necessity for a DPIA – to learn more about DPIAs and when they are necessary, read our blog on Conducting Data Protection Impact Assessments (DPIAs).

Conducting an LIA helps you to:

  • Ensure your processing is lawful and fair – would an alternative Article 6 lawful basis be more appropriate?  
  • Demonstrate compliance.
  • Consider each of the Article 5 principles before processing commences.
  • Support your business objectives positively.
  • Identify and mitigate risks to individuals’ rights and freedoms.
  • Maintain transparency with data subjects.
  • Explain your processing clearly and build trust with data subjects.

The Three-Part Test

There are 3 tests that must be satisfied when undertaking a LIA:

Purpose Test: Identify the legitimate interest.  For example, it is a legitimate interest of your organisation to promote your goods and services.

Necessity Test: Determine if the processing is necessary to achieve the purpose.  Can the business need be achieved in a different way, or by using less personal data, or would the use of personal data reasonably be expected for the purpose by data subjects?

Balancing Test: Assess whether the individual’s interests, rights, and freedoms override the legitimate interest, for example, sending marketing material for business development purposes requires consent under the UK Privacy in Electronic Communications Regulations (PECR).

Step-by-Step Guide to Conducting an LIA

Identify the legitimate interest

Begin by clearly defining the legitimate interest you are pursuing.  This could be a commercial interest, a broader societal benefit, or the interests of a third party.  Be specific and avoid vague or generic purposes.  The LIA is designed to balance your organisation’s needs with the rights of individuals – don’t be pressured by internal stakeholders who may have differing business objectives.  

There are many examples of where legitimate interests may be used as the lawful basis for processing, as it is the most flexible of the options available.   One common example is where an organisation might wish to process customer data under its ‘legitimate interests’ to improve customer experience or product/service quality.

Important:  It is not acceptable to determine that processing is necessary because you have designed your business processes to operate in a particular way.

Assess the necessity of processing

Evaluate whether the data processing is necessary to achieve the identified legitimate interest, and consider whether there are less intrusive means to achieve the same goal, as the processing should always be proportionate, limited and necessary.  You will need to record and consider what data categories are collected – could those categories be considered excessive, ‘nice to have’ categories?  Will any of those categories include children’s data which will require parental consent, or special category data that will need you to identify a second justification from Article 9?

Conduct the balancing test

Weigh the legitimate interest against the potential impact on the individual’s rights and freedoms such as the right to erasure, right to portability, rights to object to processing likely to cause them harm or distress depending on the nature of the data and the context of the processing.  For example, could the proposed processing lead to excessive profiling? Have you considered the relationship you have with your data subjects? Is the data used current or historic?  If the data to be used was collected for another purpose, will the new processing be compatible with the reasons it was originally collected?

You should also consider:

  • Why you want to process the data
  • Any potential unethical or unlawful use of the data
  • What are you trying to achieve
  • Who benefits from the processing and why
  • The impact if you could not go ahead.

Document your LIA

Record the findings of each test in a detailed document. There are templates for this available from the UK Information Commissioner’s Office (ICO) and other GDPR regulators.  Your document should include:

  • The purpose of the processing
  • The necessity of the processing
  • The outcome of the balancing test
  • Any measures taken to mitigate risks to individuals.

Implement safeguards

Based on the outcome of your LIA, implement appropriate safeguards to protect individuals’ rights and freedoms.  This could include data minimisation, anonymisation, encryption, and providing clear privacy notices and opt out measures.

Review and update the LIA

Regularly review and update the LIA to reflect any changes in processing activities, legal requirements, or the context in which the data is processed.  This ensures ongoing compliance and addresses any new risks.

Practical Tips for Conducting an LIA

  • Engage Stakeholders: Involve relevant stakeholders, including legal, compliance, and data protection officers, to ensure a comprehensive assessment.
  • Use Templates: Utilise LIA templates provided by regulatory bodies or industry advisors
  • Be Transparent: Communicate the results of the LIA to data subjects through privacy notices and other communication channels.
  • Seek Advice: If in doubt, seek professional advice to ensure that your LIA is thorough and compliant with GDPR requirements.

How URM can Help?

Consultancy

With nearly 20 years of experience assisting organisations to comply with data protection legislation, URM is ideally placed to assist your organisation in its efforts to comply with the GDPR by offering a range of GDPR consultancy services, including assistance with LIAs.  

We at URM understand that even seasoned data protection professionals sometimes feel uncomfortable about assessing or qualifying risk in relation to the LIA tests.  Drawing upon nearly 20 years of experience helping organisations comply with data protection legislation, URM can support you to conduct these assessments in full compliance with the Regulation, or with any other aspect of GDPR compliance.  

As well as assisting with LIAs, URM’s large team of GDPR consultants can offer a number of other data protection consultancy services, such as conducting a gap analysis of your organisation’s processing against the requirements of the Regulation to help identify where you are and are not currently compliant.  We can also offer a virtual data protection officer (vDPO) service, which provides you with access to an entire team of data protection practitioners, each with their own specialised area of GDPR consultancy.  For assistance with other compliance documentation, our experts can support you to develop your records of processing activities (ROPA), and with conducting data protection impact assessments (DPIAs) and data transfer impact assessments (DTIAs).  Meanwhile, if your organisation receives a data subject access request (DSAR), our experts can help you process the DSAR request in full compliance with the Regulation by applying the necessary redactions and ensuring the only information provided to the data subject is information they have a right to access.

Training

For those who would like to enhance their own data protection knowledge and skillset, URM regularly runs a range of data protection training courses, each of which are led by a highly qualified and experienced data protection practitioner.  If you would like to learn how to undertake key compliance activities, URM runs half-day training courses on conducting DPIAs and conducting DTIAs, as well as a 1-day ‘How to Manage DSARs’ course where you will learn how to compliantly respond to a GDPR DSAR.  Meanwhile, to gain an industry-recognised qualification, URM regularly runs the BCS Foundation Certificate in Data Protection (CDP) training course, which will fully prepare you to sit and pass the BCS examination.

Pauline Brace
Senior Data Protection and Information Security Consultant at URM
Pauline is a Senior Data Protection and Information Security Consultant at URM. She is an accredited BCS trainer and holds the BCS Certificate in Data Protection, holds a BCS Certificate in Principles of Information Security and has formerly achieved the Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP) and Payment Card Industry PCI-DSS QSA qualifications.
Read more

Do you need assistance in improving your GDPR compliance position?

URM can offer a host of consultancy services to improve your DP policies, privacy notices, DPIAs, ROPAs, privacy notices, data retention schedules and training programmes etc.
Thumbnail of the Blog Illustration
Data Protection
Published on
25/7/2022
Data Subject Access Requests (DSARs) Services

One of the fundamental rights of an individual (data subject), under the UK GDPR is to be able to access and receive a copy of their personal information.

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
8/6/2022
Who Needs a ROPA and Why?

Under the UK GDPR, the majority of organisations processing personal data are required to create and maintain a ROPAs

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
22/7/2022
Are you adequately covering GDPR within your ISMS?

We have seen an increased focus on the General Data Protection Regulation (GDPR) by certification body (CB) assessors when conducting ISO 27001 audits.

Read more
We cannot thank URM enough for their help in ensuring our business is GDPR compliant. Both the gap analysis conducted and the in-depth assistance with the ROPA were made much easier and understandable with URM’s help. I would like to give particular thanks to URM's Consultant for providing us with the best guidance and making a famously complex topic comprehensive, and to our Account Manager for helping make sure all our needs were covered.
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.