Legitimate Interests Assessment Process

Posted on by Samantha Harrison
Legitimate Interests Assessment (LIA) Process
23
Aug

Lawful Basis for Processing

Why do you need to understand the legitimate interests assessment process? When processing personal information, it is a legal requirement to comply with the UK GDPR and data protection laws. Specifically, adhering to the Article 6 lawfulness of processing obligations. Businesses processing personal data should identify which legal basis they are relying on prior to the processing activity commencing. Data must only be processed where at least one of the below have been met:

  • The data subject has given consent to processing their personal data for one or more specific purposes.
  • Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
  • Processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  • Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.

What are GDPR Legitimate Interests?

Legitimate Interests Assessment (LIA)The UK GDPR defines six legal bases under which personal data can be processed. Article 6(1)(f) refers to legitimate interests as a lawful basis for processing where “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

A controllers’ interests can be defined as an advantage or benefit to them, or a stake in the processing or outcome. It is because of these ‘interests’ that the UK GDPR warrants an evaluation when using this legal basis, with Recital 47 stating “the existence of a legitimate interest would need careful assessment”.

When Should You Use Legitimate Interests for Processing Personal Data?

Relying on legitimate interests as the grounds for processing personal data is only lawful when such processing is necessary, and any controller interests are not outweighed by the rights and freedoms of the individual. The UK GDPR also notes that legitimate interests cannot be relied upon by public authorities in the performance of their tasks.

Word data written inside a magnifying glassThe UK GDPR mandates the documenting of any legitimate interests’ assessment and decision. An organisation is also required to record in their privacy notice any legitimate interests pursued by the controller or by a third party where processing is based on point (f) of Article 6(1). A Legitimate Interests Assessment Template can help to keep the review consistent and compliant.

Understanding Data Protection Impact Assessments (DPIAs)

Read more!

UK GDPR customisable policies and templates

View All GDPR Templates!

What is a Legitimate Interests Assessment (LIA)?

Legitimate Interests Assessment (LIA) SampleRelying on legitimate interests as the grounds for processing personal data is only lawful when such processing is necessary. It is also essential to ensure that any controller interests are not outweighed by the rights and freedoms of the individual.

With this in mind, it is mandatory for controllers to carry out a Legitimate Interests Assessment (LIA) when considering using Article 6(1)f as their legal basis for processing. It is also worth noting that legitimate interests cannot be relied upon by public authorities in the performance of their tasks.

The UK GDPR mandates that any legitimate interests assessment and the subsequent decision must be documented. The decision for processing based on point (f) of Article 6(1) should also be recorded in the privacy notice of the relevant controller or by a third party.

Stages of a Legitimate Interests Assessment

There is no set format for the legitimate interests assessment. However, guidance from the Information Commissioners Office (ICO) refers to three specific stages. These LIA stages are used for determining if legitimate interests is the most appropriate basis for processing.

The assessment stages are: –

  1. Purpose
  2. Necessity
  3. Balancing
Legitimate Interests Assessment Stages

The accepted standard for assessing the reliance on legitimate interests is that it should be identified for the benefit of the data subject. The data subject should also be provided with the information from assessing stages (also known as the balancing test).

Legitimate Interests 3-Part Test

The Information Commissioners Office (ICO) have defined a 3-part test for assessing the use of legitimate interests, breaking those parts down into: –

  • Purpose – documenting the purpose of the processing and what function it serves for the controller provides the basis for identifying any legitimate interest(s) and documenting them.
  • Necessity – a business must be able to demonstrate that processing is necessary and evidence that there is no less intrusive way to achieve the same result.
  • Balancing – the final stage is to balance the processing against the individual’s interests, rights and freedoms and ensuring that the individual’s interests do not override that of the controller.

Legitimate Interests Assessment TemplateUse the Legitimate Interests Assessment Template from Know Your Compliance Limited and join over 11,000 organisations already using our documents.

Quickly identify, document and evidence that legitimate interests is the most appropriate legal basis for you to use. Complete with customisable procedures and a user-friendly LIA template in Word. Our professional, compliant template is only £18 (exc vat) and will save you time and money.

Benefit from simple document integration and demonstrate your Article 6 compliance without starting from scratch. The benefits of our Legitimate Interests Assessment Template include:-

  • Compliant, Customisable Template
  • Purpose, Necessity & Balance Tests
  • Comply with Article 6(1)f
  • Aligned with the GDPR & DPA18
  • Instant Download After Payment
Read more about our LIA Template NOw!
Samantha Harrison

Samantha Harrison is a Director at Know Your Compliance Limited, joining the company in 2018 and bringing a wealth of business management and policy development experience with her. She has run and managed her own businesses for more than 30 years and has been pivotal in developing one of the UK's leading portfolios of GDPR policy templates and checklists. Her knowledge and understanding of regulatory compliance and risk management has been invaluable in the company's growth and development.