• 2 min read

When does my organisation need to do a legitimate interests assessment (LIA)? 

Data Privacy in the Digital Age, importance of data privacy

In our last article, we discussed data protection impact assessments (DPIAs) and although there are similarities between a DPIA and LIA (i.e. they are both risk assessments requiring an organisation to carry out an assessment of the purpose of the processing, identify and assess risk and consider possible safeguards) they are different types of assessment which are needed in different circumstances.  

Legitimate interests is one of the lawful bases (i.e. reasons) for processing personal data which we considered in a previous article. Although the production of a LIA is not a legal requirement of the UK GDPR (unlike a DPIA), a LIA should be done when an organisation is considering processing personal data in reliance on legitimate interests as its lawful basis. A LIA evidences an organisation has properly considered its use of legitimate interests as a lawful basis and is a helpful document for an organisation to show its compliance with the UK GDPR’s accountability principle. 

A LIA is generally a much simpler risk assessment than a DPIA and there is no formal structure or process to be worked through but the Information Commissioner’s Office does have a template which can be used.

There are three stages to carrying out an LIA: 

  1. The purpose test (identify the legitimate interest – why do you want to process personal data in the way intended?);
  2. The necessity test (consider if the processing is necessary – could you carry out the purpose in another way e.g. which uses no personal data or less personal data?); and
  3. The balancing test (does the organisation’s interests justify the impact on individuals or does the significance of the impact on the individuals override the organisation’s legitimate interests?). 

The balancing test requires various factors to be considered, including the type of personal data being processed, the impact of the processing on the individuals, whether an individual would reasonably expect their data to be processed in the way the organisation intends and whether any safeguards can be put in place to reduce risk.

If the outcome of the balancing test is that the benefits of the processing to the organisation do not justify identified risks to individuals then legitimate interests is not the appropriate lawful basis for the processing in question and an alternative lawful basis will need to be considered. In addition, if an organisation carries out a LIA which identifies the potential for high risks to individuals’ rights and freedoms then it is likely that a DPIA will also be required.

As with DPIAs, organisations need to keep their LIAs under review and revisit them if the processing, or associated risks, change in a way which may impact the outcome of the assessment, as reliance on the legitimate interests lawful basis may cease to be appropriate. 

Our data protection team has many years of experience in advising organisations on their compliance with UK data protection law. To speak to one of the team you can get in touch here or call us on 0800 2800 421

If you have not received this article directly, but would like to receive articles and data protection news alerts from Trethowans, please email [email protected].

Answers are just a click away

Make an enquiry