What Is a Legitimate Interests Assessment Under Data Protection Law?

When running a business, dealing with personal data is crucial to your everyday activities. Whether it is customer information, employee records, or client details, most companies must process various types of personal data to keep their operations running smoothly. However, under UK data protection law, you must have a ‘lawful basis’ to process personal data. One of the lawful bases is ‘legitimate interests’. To ensure you are using this basis correctly, your business should conduct an assessment known as a Legitimate Interests Assessment (LIA). This article will explore controllers using personal data for legitimate interests, why an LIA is essential, and how to conduct this assessment effectively. 

What Is the UK GDPR?

The UK GDPR law governs how businesses may collect, store, and use personal data. Its essential purpose is to protect data subjects’ privacy and give them control over their data. 

For your business, this means you must take data protection seriously and ensure all your data processing activities are lawful, fair, and transparent.

What Is a Lawful Basis for Processing Personal Data?

You must have a lawful basis before processing personal data as a controller. 

The UK GDPR outlines six lawful bases that you can rely on:

• Consent: This is when the data subject gives you clear permission to process their data for a specific purpose;
• Contract: The processing is necessary to fulfil a contract with the data subject or because they have asked you to take specific steps before entering into an agreement with them;
• Legal Obligation: This is where you must process the data to comply with a legal obligation;
• Vital Interests: Here, processing is necessary to protect someone’s life, which typically applies in emergencies and is rare;
• Public Task: Here, you need to process the data to perform a task in the public interest or for your official functions, and the task has a clear legal basis; and
• Legitimate Interests: On this basis, you need to process the data for your legitimate interests or those of a third party, provided these interests do not override the individual’s fundamental rights and freedoms. This is a flexible ground that businesses can rely on. 

Each basis is different, and it is essential to select the one that best fits your business’s needs regarding the data, depending on the relevant data processing activities. If you decide that legitimate interests are the correct basis for your data processing situation, as best practice, you should conduct a Legitimate Interests Assessment (LIA), as we explore below.

What is Legitimate Interest?

Legitimate interest is one of the six lawful bases for processing personal data under the UK GDPR. As the data controller, you allow your business to process personal data when necessary for your legitimate interests or those of a third party. However, this processing must not override the fundamental rights and freedoms of the data subject.

Legitimate interests can cover a wide range of purposes. But even though legitimate interests give you some flexibility, you still need to identify the specific reason you are processing the data and ensure that it is legitimate in that context.

What Is a Legitimate Interests Assessment (LIA)?

An LIA is a process that helps you determine whether you can rely on legitimate interests as your lawful basis for processing personal data. An LIA enables you to demonstrate compliance with the law. It involves a three-part test to ensure that your legitimate interests do not override the rights and freedoms of the data subjects whose data you are processing.

The steps to conducting an effective LIA include the following:

1. The Purpose Test – Identifying Your Legitimate Interests

You should understand precisely what legitimate interest you are pursuing. For example, this could be to conduct direct marketing. You should be very clear and specific about why you want to process the data and what benefit you expect to gain from it. For example, suppose your business intends to use customer data to send targeted marketing emails. In that case, your legitimate interest might be increasing sales by reaching out to customers who have previously shown interest in your products.

2. The Necessity Test – Is Processing Necessary?

Next, you must assess whether data processing is necessary for your legitimate interest. Ask yourself if there is a less intrusive way to accomplish the same goal. Could you anonymise the data or collect less information to reduce the impact on the individual’s privacy? 

The key here is that the processing must be a reasonable and proportionate way of achieving your goal. If there is a less intrusive way to get the same result, you may need to rethink whether legitimate interests are the appropriate basis.

3. The Balancing Test – Weighing Your Interests Against the Individual’s Rights

Finally, you will need to balance your legitimate interests against the fundamental rights and freedoms of the data subjects. This is the most critical part of the LIA. Think about the type of data you are dealing with, the relationship you have with the individuals, their reasonable expectations, and the potential impact of the processing on them. 

4. Recording Your Outcome 

Once you have completed the LIA, it is essential to document the results. This record will show that you have carefully considered whether legitimate interests apply. It also demonstrates that you have taken steps to protect the individual’s rights. 

GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

While the UK GDPR does not require you to document your LIA, doing so helps demonstrate your commitment to data protection and ensures you comply with the accountability principle under the law. Remember that if your assessment shows risks or fails, you must consider a different lawful basis. 

Why Is Conducting an LIA Important?

Conducting an LIA is crucial because it helps ensure that your data processing activities are lawful and demonstrate compliance. If you rely on legitimate interests without conducting an LIA, you could risk breaching the UK GDPR, leading to penalties and damaging your business’s reputation. 

Remember that you should always keep your LIA under review, especially if there is a significant change in the processing activities. You must also include information about your legitimate interests in your privacy policy to maintain transparency with your data subjects.

Key Takeaways

An LIA is an essential process for any business that relies on legitimate interests as its lawful basis for processing personal data under the UK GDPR. The LIA involves a three-part test:

• identifying your legitimate interests;
• determining whether the processing is necessary; and
• balancing your interests against the rights and freedoms of the data subjects involved.

By conducting an LIA, you can ensure that your data processing activities are lawful. It can also enable you to rely on legitimate interests as your lawful basis. 

If you need help with LIA, LegalVision’s experienced data privacy lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Frequently Asked Questions 

1. What is the UK GDPR?

The UK GDPR is a data protection law defining how businesses collect, store, and use personal data. It aims to protect data subjects’ privacy and give them control over their personal information.

2. What is a lawful basis for processing personal data?

A lawful basis for processing personal data is a legal reason that allows you to process data under the UK GDPR. There are six lawful bases – consent, contract, legal obligation, vital interests, public task, and legitimate interests. You must have a lawful basis before you can process any personal data.