LIA stands for Legitimate Interests Assessment. It is a term that is not directly mentioned in the General Data Protection Regulation (GDPR), however, LIA is a form of risk assessment and should be conducted when your personal data processing is based on legitimate interest.
LIA supports the lawfulness of your processing, proves you have done your groundwork to determine that legitimate interest is a proper lawful basis, confirms your compliance, and allows you to align with the accountability principle.
When is legitimate interest a proper lawful base?
Before you start with any activity you will have to define a legal base for your processing. Even though consent is the best known lawful base, GDPR recognizes 6 different lawful bases for processing personal data and your processing will have to rely on one of those:
You can be obligated by the law to process someone’s data, perform a contract with an individual, or process their data based on their consent. However, legitimate interest is a little bit different since it is not centered around a particular purpose, and is not based on consent, that is why LIA is recommended to help you reaffirm that legitimate interest is a proper base.
Unfortunately, the GDPR does not define which factors to take into account when determining if your purpose is a legitimate interest. However, according to the ICO, you must have clear and specific benefits in mind if you want to rely on legitimate interests.
You need to be specific about the purpose of your processing and avoid being unclear or naming generic business purposes.
When relying on legitimate interest as a lawful base, make sure there is a relevant and appropriate relationship between the data subject and the controller (in this case you) in situations such as where the data subject is a client or in the service of the controller (Recital 47)
Make sure the legitimate interest pursued by the controller or by a third party is balanced against the fundamental rights and freedoms of the data subject.
If you are public authority you should not rely on the legitimate interest in the performance of public tasks.
How to conduct an LIA?
There is no laid out rules on how your LIA should look like, it will depend on specific circumstances of your processing activity. The assessment can be shorter or longer, and sometimes you may even conclude you will have to conduct Data Protection Impact Assessment or DPIA.
Remember, you cannot conduct LIA after you started with the processing activity since you will have to have a defined lawful basis before you start.
The best way to assure your LIA is conducted properly is by following a three-part test.
Three-part LIA test
The three-part test is based on the definition of legitimate interest in GDPR Article 6(f): “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
➡️ 1. The purpose test (is there a legitimate interest behind the processing?)
➡️ 2. The necessity test (is the processing necessary?)
➡️ 3. The balancing test (is the legitimate interest overridden by the fundamental rights and freedoms of the data subject?)
Answering to all three questions above and documenting your response should give you an impartial conclusion on the lawfulness of your processing and demonstrate you have taken everything into account in your assessment.
1. The purpose test
In the purpose test, you will have to assess if your purpose falls under the legitimate interest. Asking and answering a string of questions will help you determine this. We have collected questions from different sources, but you can add or exclude questions as you see fit for the specific situation:
➡️Why are you processing data?
➡️What are the benefits of processing?
➡️Is the processing in your interest or in the interest of any third-parties?
➡️Is processing ethical?
➡️What would happen if you wouldn’t go through with the processing?
➡️Is processing legal?
2. The necessity test
➡️Is processing personal data necessary to achieve the purpose?
➡️Is processing proportionate to what you are trying to achieve?
➡️Can you process less data or not process data at all?
➡️Are there other, less intrusive methods, available that can help you achieve your purpose?
3. The balancing test
The balancing test is regarding the last part of the GDPR Article 6(f) “…except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
This means you will have to analyze if the fundamental rights and freedoms of the individual are overriding your legitimate interest. There are certain categories of data that GDPR protects with additional requirements and safeguards like sensitive personal data or data related to minors.
The ICO states the minimum you should take into consideration when doing a balancing test is the nature of data, the reasonable expectations, and the impact the processing can have on the individual, this can translate into a set of questions:
➡️ Are you processing any type of sensitive personal data that falls under the special category of data (biometric data, health data, genetic data…)?
➡️ Are you processing personal data related to children and minors?
➡️ How will processing affect individuals?
➡️ Is your processing imposing a high-risk to individuals’ rights and freedoms?
If you are looking for more detailed instructions on how to conduct LIA, in our opinion the best guidelines were given by the UK’s Information Commissioner Office (ICO).
Why should you conduct a Legitimate Interests Assessment?
It is important to mention there is no requirement in the GDPR that mandates you to conduct LIA, so it may seem like unnecessary additional work. However, conducting LIA will help you create a long-term privacy program that will cover all the bases. As we mentioned before it is advised to conduct LIA so you can easily demonstrate your compliance to the supervisory authority and be able to comply with the accountability principle.
When conducting LIA make sure you find arguments that support both sides so you can get real results and if you get negative results on your assessment, try to redefine the purpose, minimize the scope or try to find an alternative lawful basis.
LIA is also a great self-assessment method that will help you understand the impact of your processing activity, avoid any potential risks, and ensure the lawfulness of the processing.