Warner Goodman Solicitors banner

Legitimate Interest Assessment under the GDPR

Under the General Data Protection Regulation (GDPR) there are several lawful methods of processing personal data.  Complying with the GDPR must be reviewed by organisations on a regular basis, with every aspect of the personal data they process being considered and their reasons specified as to why they process that personal data, whether that be the personal data of their clients, customers, suppliers or employees, for example.

One of the grounds for processing personal data is when the organisation believes it (or a third party) has a legitimate interest in doing so.  When relying on legitimate interests as a lawful basis, it is recommended that the organisation completes a Legitimate Interest Assessment (LIA) to support their decision and rationale.  We review several of the questions our data protection and GDPR specialist advisors are asked on a regular basis; we would always advise that should you have any particular questions regarding GDPR that you contact us directly.

What are the six lawful bases for processing personal data?

Before exploring the details of legitimate interest and an LIA, it is important to understand the alternative grounds for processing personal data.  In addition to legitimate interest, which is to process personal data to be used in a way that will benefit the data subject (i.e. the individual), the other five grounds are:

  1. Consent – the data subject gives you, the organisation, express permission to use their personal data in the specified way.
  2. Contract – the personal data being given to you is a requirement in order to complete a contract between you and the data subject.
  3. Legal obligation – the processing of the personal data is a legal requirement of the data controller, i.e. the organisation in question.
  4. Vital interest – the personal data is necessary in order to safeguard the data subject.
  5. Public task – the personal data is necessary in order to carry out a public interest task or as requested by the local authority.

The three stages of a Legitimate Interest Assessment

Legitimate interest is perhaps the most ambiguous of the lawful bases for processing personal data as some critics say that it could be seen that the organisation is making a judgement as to what is in the interest of the data subject.  Under the GDPR, the term “legitimate” refers to the data processing principles of GDPR and the subsequent expectations of your organisation’s data subjects, while “interest” refers to the benefit that can arise from the data processing. 

As this can cover such a broad spectrum of scenarios, an LIA can introduce subjectivity in allowing the organisation to assess whether this is in fact the case and that they are processing the personal data in a lawful manner. The process forces the organisation to consider their answers to the questions posed below and to objectively consider the expectations of the data subject and the impact the processing will have on them.

Ideally, your organisation will complete the LIA before processing the personal data of the individual in question.  It becomes more difficult to justify a lawful bases if your organisation begins to process personal data and then tries to suggest that the lawful basis for doing so is having a legitimate interest.  The Information Commissioner’s Office (ICO) suggests a three part test to confirm whether legitimate interest can be used as a lawful basis.  Those three steps are:

Purpose

This stage is to ascertain whether legitimate interest would be present for the individual.  It is important that your organisation gives proper care and attention to this stage, as the answers here will determine the next stages. Under this stage, you would consider questions such as:

  1. Why do we wish to process the personal data?
  2. What are we trying to achieve by processing this personal data?
  3. What are the benefits to processing the personal data, for the organisation, the data subject(s) and any wider public benefits?
  4. Are there any third parties involved in processing the personal data and are there are any benefits for them?
  5. What would be the consequences if we weren’t to process the personal data and what are the outcomes for the data subject?
  6. Is the processing of the data ethical and lawful?
Necessity

This stage is to confirm whether processing the personal data is necessary to achieve this purpose.  Once you have completed the purpose test, you would then consider the following questions as part of this stage:

  1. Does the processing of the information act towards achieving your organisation’s initial purpose?
  2. Is this a reasonable way to collect and process data, and is there an alternative, whether that is to not process the personal data at all or to process less personal data?
Balancing

This final stage is to then balance whether the data subject’s interests override the organisation’s legitimate interest.  At this stage, your organisation should discuss various questions including, but not limited to, the following:

  1. What is the relationship between the organisation and the data subject?  Has the organisation used their personal data in the past and how was this collected at the time?
  2. Is the personal data sensitive, or is the data subject vulnerable and therefore requires categorisation under an alternative processing method, or not at all?  The more sensitive the personal data is, the more likely it is that the processing will be intrusive and therefore, you will need adequate provisions for why you are processing the data in stages 1 and 2.
  3. Would there be an expectation that data would be used in this way, and would the organisation be prepared to answer questions about the legitimacy of the data processing?
  4. What is the impact on the data subject, and will they feel it is intrusive or unnecessary?
  5. Is an opt-out option on offer?


During these stages, you may find that it is impossible to carry out a LIA on every single data subject.  The ICO will be interested in whether you have answered these questions based on a “reasonable” person and their expectations in a particular situation, based on your business, sector and size. 

How do I document the results of the Legitimate Interest Assessment (LIA)?

Once you have completed the three stages, you need to consider your responses and document your results in the official LIA.  While there is no specific legislation requiring you to complete an LIA, it is best practice to complete one to justify your decision for processing the data, should the ICO carry out an investigation into your data protection practices.  Any decisions reached in your LIA should, in general terms and without giving specific details about any particular LIA, be documented in your privacy notice.

An LIA is not a document that should be completed once and then relied upon for all future decisions.  You should ensure that your LIA is kept under review on a regular basis and that you do not adopt a one size fits all across all of your data processing activities. 

Conducting an LIA can be an in-depth and complicated process and we would always recommend you seek legal advice when undertaking this activity.  You can contact us on 023 8071 7413 or email grantusher@warnergoodman.co.uk to discuss your GDPR questions.

To speak to one of our experts please call us