Lawful Basis for Processing
Why do you need to understand the legitimate interests assessment process? When processing personal information, it is a legal requirement to comply with the UK GDPR and data protection laws. Specifically, adhering to the Article 6 lawfulness of processing obligations. Businesses processing personal data should identify which legal basis they are relying on prior to the processing activity commencing. Data must only be processed where at least one of the below have been met:
- The data subject has given consent to processing their personal data for one or more specific purposes.
- Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
- Processing is necessary for compliance with a legal obligation to which the controller is subject.
- Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.
What is a Legitimate Interests Assessment (LIA)?
Relying on legitimate interests as the grounds for processing personal data is only lawful when such processing is necessary. It is also essential to ensure that any controller interests are not outweighed by the rights and freedoms of the individual.
With this in mind, it is mandatory for controllers to carry out a Legitimate Interests Assessment (LIA) when considering using Article 6(1)f as their legal basis for processing. It is also worth noting that legitimate interests cannot be relied upon by public authorities in the performance of their tasks.
The UK GDPR mandates that any legitimate interests assessment and the subsequent decision must be documented. The decision for processing based on point (f) of Article 6(1) should also be recorded in the privacy notice of the relevant controller or by a third party.
Stages of a Legitimate Interests Assessment
There is no set format for the legitimate interests assessment. However, guidance from the Information Commissioners Office (ICO) refers to three specific stages. These LIA stages are used for determining if legitimate interests is the most appropriate basis for processing.
The assessment stages are: –
- Purpose
- Necessity
- Balancing
The accepted standard for assessing the reliance on legitimate interests is that it should be identified for the benefit of the data subject. The data subject should also be provided with the information from assessing stages (also known as the balancing test).
Use the Legitimate Interests Assessment Template from Know Your Compliance Limited and join over 8500 organisations already using our documents.
Quickly identify, document and evidence that legitimate interests is the most appropriate legal basis for you to use. Complete with customisable procedures and a user-friendly LIA template in Word. Our professional, compliant template is only £18 (exc vat) and will save you time and money.
Benefit from simple document integration and demonstrate your Article 6 compliance without starting from scratch. The benefits of our Legitimate Interests Assessment Template include:-
- Compliant, Customisable Template
- Purpose, Necessity & Balance Tests
- Comply with Article 6(1)f
- Aligned with the GDPR & DPA18
- Instant Download After Payment