If your company decides to process personal data on the legal basis of legitimate interests, a so-called legitimate interest assessment (LIA) must be performed. The UK General Data Protection Regulation (UK GDPR) does not explicitly require performing an LIA; however, the Information Commissioner’s Office (ICO) states that not carrying out an LIA will make it difficult to meet the obligations under the accountability principle. We will show you when you need to carry out an LIA, how to conduct one and the consequences of its outcome.
Legitimate interest
To lawfully process personal data, your company needs a legal basis for the processing. The UK GDPR stipulates the grounds on which personal data can be processed:
- Data subject’s consent;
- Contract or potential contract with an individual;
- Complying with legal obligations;
- Protecting vital interests of the data subject or another natural person;
- Performing a task carried out in the public interest or in the exercise of official authority; or
- Legitimate interests.
Legitimate interest is often used as a fall back clause to legitimate the processing of personal data. However, there are actually several hurdles to overcome. Such legitimate interest could exist, for example, where there is individual interest, commercial interest or broader societal interest. Moreover, they can be your company’s own interests (e.g., protection of property) and also the interests of third parties (e.g., video surveillance for tenants). However, legitimate interests can only be used as basis for data processing if your legitimate interests outweigh the interests of the data subjects.
Hence, if your company can justify the processing on legitimate interest, you need to perform an LIA.
How to perform a step-by-step legitimate interest assessment
An LIA should be conducted prior to the processing of personal data on the basis of legitimate interest. The ICO has clarified that an ex post LIA is not sufficient. Moreover, the assessment as well as the decision should be documented in order to demonstrate compliance with UK GDPR and in particular, the accountability principle.
While there is no predetermined process to conduct an LIA, the ICO has provided an LIA sample template, which can be used by companies. However, the assessment needs to include at least these three aspects, also referred to as the three-part test:
- The purpose test: identification of the legitimate interest(s);
- The necessity test: considering the necessity of the processing;
- The balancing test: considering the individuals’ interests.
The relevant factors for each test are set out in the ICO’s LIA template. We included them below to provide you with all relevant information. When conducting each test, it is important to consider all relevant factors irrespective of whether they support the final conclusion. This enables you to demonstrate that all relevant aspects have been considered before reaching a conclusion.
Purpose test
Under the purpose test, you need to identify the processing purpose and decide whether the purpose can be considered a legitimate interest. The ICO set out some questions that should be addressed when conducting the purpose test:
- Why do you want to process the data?
- What benefit do you expect to get from the processing?
- Do any third parties benefit from the processing?
- Are there any wider public benefits to the processing?
- How important are those benefits?
- What would the impact be if you could not go ahead?
- What is the intended outcome for individuals?
- Are you complying with other relevant laws?
- Are you complying with industry guidelines or codes of practice?
- Are there any ethical issues with the processing?
The UK GDPR lists some interests that are specifically considered legitimate, like fraud prevention, network and information security or the indication of possible criminal acts or threats to public security. Hence, depending on the circumstances of the respective case, a brief LIA can be sufficient. On the other hand, intra-group administrative transfers and marketing are mentioned as potentially legitimate interests in the UK GDPR, and in these cases, more detailed LIAs are usually necessary.
Necessity test
Once you have identified a legitimate purpose, assess whether the data processing is necessary for the identified purpose. The ICO set out a number of aspects to consider:
- Will the processing actually help to achieve the purpose?
- Is the processing proportionate to that purpose?
- Is it possible to achieve the purpose without processing the data, or by processing less data?
- Is it possible to achieve the purpose by processing the data in another or less intrusive way?
Balancing test
In the balancing test, you need to weigh the rights and freedoms of the individual against the legitimate interests you identified. According to the ICO, you should at least take the following aspects into account:
Nature of the personal data that is intended to be processed
In this step, you have to consider the sensitivity of the data. According to the ICO, it should be determined whether the data falls under any of the following categories:
- Special category data;
- Criminal offence data;
- Another type of data that people are likely to consider particularly “private”, e.g., financial data;
- Children’s data or data relating to other vulnerable individuals; or
- Whether the data relates to people in their personal or professional capacity.
The more sensitive or “private” the data, the more likely it is that the processing entails significant risks for the rights and freedoms of individuals. To use these types of data, it is usually required to have a more compelling interest (e.g., fraud prevention or indication of criminal acts) and particular emphasis must be placed on providing adequate safeguards. A common safeguard is, for example, the encryption of data.
Determining the outcome of an LIA
To determine the outcome of the LIA, all relevant factors that have been identified during the assessment should be weighed against each other in order to assess whether the individual interests or the company’s interests prevail. You should review and update this decision if the legitimate interest and/or the processing are altered in a way that could influence the LIA’s outcome.
If the LIA indicates that the potential impact of the data processing outweighs the legitimate interests, the respective data cannot be processed on the basis of legitimate interests. In this case, you have to consider whether there are other lawful grounds for the data processing provided by the UK GDPR.
