While not explicitly outlined in the General Data Protection Regulation (GDPR), the Legitimate Interest Assessment (LIA) can be crucial for organizations. It’s a form of risk assessment that should be conducted when your personal data processing is based on legitimate interest.
LIA supports the lawfulness of your processing and serves as a testament that you have done your groundwork to determine that legitimate interest is a proper lawful basis, confirms your compliance, and allows you to align with the accountability principle.
When is legitimate interest a proper lawful base?
Before you start with any activity, you will have to define a legal base for your processing.
Although consent is the best-known lawful base, GDPR recognizes six different lawful bases for processing personal data, and your processing will have to rely on either consent, contract, legal obligation, protection of vital interest, public task, or legitimate interest. Read more about it: How to determine lawful basis for processing.
Legitimate interest is slightly different from other lawful bases since it is not centered around a particular purpose and is not based on consent. This is where LIA comes into play to help you reaffirm your choice of legitimate interest as your lawful basis.
Unfortunately, the GDPR does not define which factors to consider when determining if your purpose is a legitimate interest. However, you must have defined clear and specific benefits to rely on legitimate interests.
You need to be specific about the purpose of your processing and avoid generic business purposes.
Make sure there is a relevant and appropriate relationship between you and the data subject in situations where the data subject is a client or in the service of the controller (Recital 47)
Ensure the legitimate interest pursued by the controller or a third party is balanced against the fundamental rights and freedoms of the data subject.
If you are a public authority, you should not rely on the legitimate interest in the performance of public tasks.
How to conduct LIA?
There are no laid-out rules on how your LIA should look like. It will depend on the specific circumstances of your processing activity. The assessment can be shorter or longer; sometimes, you may even conclude you must conduct a Data Protection Impact Assessment (DPIA).
Remember, you cannot conduct LIA after you have already started with the processing activity. The best way to ensure your LIA is conducted properly is by following a three-part test.
Three-part LIA test
The three-part test is based on the definition of legitimate interest in GDPR Article 6: “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
- The purpose test (is there a legitimate interest behind the processing?)
- The necessity test (is the processing necessary?)
- The balancing test (is the legitimate interest overridden by the fundamental rights and freedoms of the data subject?)
Answering all three questions above and documenting your response should give you an impartial conclusion on the lawfulness of your processing and demonstrate you have taken everything into account in your assessment.
1. The purpose test
In the purpose test, you will have to assess if your purpose falls under the legitimate interest. Asking and answering a string of questions will help you determine this. We have collected questions from different sources, but you can add or exclude questions as you see fit for the specific situation:
- Why are you processing data?
- What are the benefits of processing?
- Is the processing in your interest or in the interest of any third parties?
- Is processing ethical?
- What would happen if you wouldn’t go through with the processing?
- Is processing legal?
2. The necessity test
The necessity test will help you check if the processing based on legitimate interest is, in fact, necessary for the purpose you are trying to achieve. The questions you want to ask are:
- Is processing personal data necessary to achieve the purpose?
- Is processing proportionate to what you are trying to achieve?
- Can you process less data or not process data at all?
- Are other, less intrusive methods available to help you achieve your purpose?
3. The balancing test
The balancing test is regarding the last part of the GDPR Article 6(f) “…except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
This means you will have to analyze if the fundamental rights and freedoms of the individual are overriding your legitimate interest. There are certain categories of data that GDPR protects with additional requirements and safeguards, like sensitive personal data or data related to minors.
The minimum you should take into consideration when doing a balancing test is the nature of the data, the reasonable expectations, and the impact the processing can have on the individual. This can translate into a set of questions:
- Are you processing sensitive personal data that falls under the special category of data (biometric data, health data, genetic data…)?
- Are you processing personal data related to children and minors?
- How will processing affect individuals?
- Is your processing imposing a high risk to an individual’s rights and freedoms?
Why you should conduct a Legitimate Interest Assessment
It is important to mention there is no requirement in the GDPR that mandates you to conduct LIA, so it may seem like unnecessary additional work. However, conducting LIA will help you decrease privacy-related risks significantly.
As we mentioned before, it is advised to conduct LIA so you can easily demonstrate your compliance with the supervisory authority and comply with the accountability principle.
When conducting LIA, make sure you find arguments supporting both sides so you can get accurate results. If you get negative results on your assessment, try to redefine the purpose, minimize the scope, or find an alternative lawful basis.
LIA is also a great self-assessment method that will help you understand the impact of your processing activity, avoid any potential risks, and ensure the lawfulness of the processing.
Need help with LIA?
Performing and upholding compliant DPIAs and LIAs can pose challenges due to their resource-intensive nature. These processes demand consistent and substantial involvement from multiple stakeholders, such as legal, compliance, and IT teams.
This complexity becomes particularly pronounced in cases where automation tools are lacking.
The Assessment Automation module provides templates for DPIA and LIA assessments, ensuring compliance with the latest data protection regulations while saving time and resources.
You can quickly identify potential privacy risks and implement measures to address them, having greater control and transparency over data processing activities.
This automation module can simplify data privacy management, making it easier to conduct and maintain compliant DPIA and LIA assessments, reducing the risk of non-compliance, legal consequences, and financial loss.
