What is Legitimate Interests?
This article looks at how to carry out a Legitimate Interests Assessment (LIA) and gives guidance on the suggested stages. Legitimate Interests is one of the legal basis for processing personal data under the GDPR. Article 6(1)f of the Regulation states: –
“Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
Recital 47 goes on to say that legitimate interest could exist where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller; and any existence of a legitimate interest would need careful assessment.
The Most Appropriate Legal Basis
It is important to understand and consider all the legal basis for processing, and to identify the most appropriate as applicable to the type of data being processed and the processing activity. Whilst legitimate interest is one of the most flexible legal basis, there is an additional responsibility to identify, assess and evidence that an individual’s rights and interests have been reviewed and considered.
Legitimate Interest can only be relied upon where the processing is ‘necessary’ and cannot be used by public authorities in the performance of their tasks. The GDPR advises that the use of “Legitimate Interest would need careful assessment”; with the ICO making specific reference to a Legitimate Interests Assessment (LIA); which is why it is important to understand how to carry out a Legitimate Interests Assessment (LIA).
How to Carry Out a Legitimate Interests Assessment (LIA)
When considering relying on Legitimate Interests as the legal basis for processing; an organisation should utilise assessment criteria that covers 3 specific requirements. It is important to complete such an assessment and to document the process; even where the Legitimate Interests are clear. The 3 stages involved in a LIA are: –
If you think that your processing activity comes under the legal basis of Legitimate Interests, it is important to identify any interest(s) and to document them. Start by documenting the purpose of the processing and review that against the other legal basis to ensure which is most appropriate.
If you identify that you can rely on Legitimate Interests, note down all interests (even if you only intend to rely on one of them). You should also be able to demonstrate that you understand your responsibility to protect the individual’s interests. Who benefits from the processing? How do they benefit?
The ICO define ‘necessary’ as “processing must be a targeted and proportionate way of achieving your purpose.” You must be able to demonstrate that processing is necessary and evidence that there is no less intrusive way to achieve the same result. Consider the organisations’ interests noted from stage one and any business objectives relevant to the processing. Is the processing ‘necessary’ to achieve those interests and objectives?
If you can identify another (less intrusive) way to achieve the same objective or interest (or determine that the processing is not necessary), then you should not be relying on Legitimate Interests.
The final stage of a Legitimate Interests Assessment (LIA) is to balance the processing against the individual’s interests, rights and freedoms. This means documenting and demonstrating an evaluation of those rights and freedoms and ensuring that the individual’s interests do not override that of the controller.
This stage is about considering the impact the intended processing would/will have on an individual and evaluating any impact against the controller’s identified interests. The evaluation could include questions such as: –
- Are there any conflicts of interest in the relationship between the controller and individual?
- What risk is involved in the processing; and/or is the data high risk or sensitive?
- Would an individual normally expect their data to be used in this way?
- Can you easily define and explain the legitimate interests you are relying on?
- Is there any chance of people finding such processing intrusive or objectionable?
- Have you identified (and evaluated) any risks and/or impact involved?
The above is not an exhaustive list but will go a long way towards demonstrating an effective and complete balancing test.
There is no defined format for how to carry out a Legitimate Interests Assessment (LIA) (i.e. you can use Excel, Word templates or other mediums); but documenting and being able to evidence your LIA is essential; as well as including information about your legitimate interests in your privacy notice.
If you decide that you can reasonably and compliantly rely on Legitimate Interests for your processing, you should retain the assessment records for as long as the processing continues (and after in accordance with your retention schedule) and review the assessment at regular intervals. This is especially important if the scope of the processing changes, at which point the LIA would need to be revisited.
The ICO have greatly extended their guidance in this area; which can be accessed via their website.
Feel free to download our Legitimate Interests Assessment (LIA) template on our Resources page or visit our GDPR Bundle comparison chart to see what GDPR documents we provide and how we can help with your GDPR compliance.