MAKE YOUR FREE Legitimate Interest Assessment (LIA)
What we'll cover
What is a Legitimate Interest Assessment?
This document is GDPR compliant.
When should I use a Legitimate Interest Assessment?
- if you want to process personal data on the ground of legitimate interest
- when you obtained the personal data from the data subjects themselves (ie the people to whom the data relates), not from third parties, such as service providers
- when you and the data subjects are based in the UK
Sample Legitimate Interest Assessment (LIA)
The terms in your document will update based on the information you provide
LEGITIMATE INTEREST ASSESSMENT
PART 1
Date of the assessment | |
Who is carrying out the assessment? | |
Controller organisation | |
Assessment to be kept under review by |
PART 2 - PURPOSE TEST
Processing | |
What is the purpose for which you are processing the data? | |
Benefits | |
What are the benefits you expect to gain from the processing? | |
Will any third parties benefit from the processing? | No |
Are there any wider public benefits to the processing? | No |
How important are these benefits? |
|
Impact | |
What would be the impact if the processing could not go ahead? | |
Compliance | |
Are you complying with any specific data protection rules that apply to your processing? | The UK General Data Protection Regulation (GDPR), Data Protection Act 2018 (DPA) and . |
Are you complying with other relevant laws? | |
Are you complying with any industry guidelines or codes of practice? | |
Are there any other ethical issues with the processing? |
PART 3 - NECESSITY TEST
Will the processing actually help you achieve your purpose? | Yes
|
Is the processing proportionate to your purpose? | Yes
|
Can you achieve the same purpose without the processing? | |
Can you achieve the same purpose by either processing less data, or by processing the data in another more obvious or less intrusive way? |
PART 4 - BALANCING TEST
Nature of the personal data | |
Is the data being processed special category data or criminal offence data? | |
Is any part of the data particularly sensitive or private? | |
Are you processing children’s data or data relating to other vulnerable people? | |
Is the data about people in their professional or personal capacity? | |
Reasonable expectations | |
Do you have an existing relationship with the individual whose data is being processed? | |
Source of the personal data | Collected directly from the individual |
How did you tell about and explain to the individual the use of their data when it was first collected? | By providing a Privacy Notice before any personal data processed |
Would individuals expect you to use their personal data in the way in which it is being used? | |
Do you have any evidence about the expectation of individuals? | Yes
Title of evidence:
|
Likely impact | |
What are the potential risks of the processing and what are the likelihood and severity of any potential risks? |
|
Are people likely to object to the processing or find it intrusive? | |
Can you adopt any safeguards to minimise the impact? | |
Can individuals opt-out of the processing? |
PART 5 - DECISION
Can you rely on legitimate interests for this processing? | |
Next review date |
About Legitimate Interest Assessments
Learn more about making your Legitimate Interest Assessment
-
How to make a Legitimate Interest Assessment
Making your Legitimate Interest Assessment online is simple. Just answer a few questions and Rocket Lawyer will build your document for you. When you have all the information about the intended data processing prepared in advance, creating your document is a quick and easy process.
You’ll need the following information:
The organisation and the LIA
-
What is the name of the organisation carrying out the LIA?
-
What is the name of the individual carrying out the LIA for the organisation?
-
On which date is the Assessment being carried out?
-
Will the data protection officer (DPO) or another person keep the LIA under review? What is the reviewer’s name?
-
On which date will the LIA next be reviewed?
The personal data
-
Are you processing any special category personal data? If so, which types?
-
Is any of the data particularly sensitive or private?
-
Are you processing any data relating to children or other vulnerable people?
-
Does the data relate to people in their professional or personal capacity?
Communication with data subjects
-
Does the organisation already have a relationship with the data subjects (eg are they customers or employees)?
-
If so, what is the nature of the relationship?
-
-
How has the data subjects’ data been used in the past?
-
How will the organisation explain to the data subjects how their information is to be processed? Via a privacy notice or in another way?
Aim and purpose of processing
-
Why does the organisation want to process the personal data?
-
How will the organisation benefit from the processing?
-
Will any third parties and/or the general public also benefit from the processing? If so, how will they benefit?
-
How important are the benefits you’ve identified?
-
What would be the impact of the processing not going ahead?
-
Are there any ethical issues associated with the processing?
Necessity
-
How does the processing help to achieve the purpose of your project?
-
How will you ensure that the data processing is proportionate to the purpose?
-
Could your purpose be achieved without processing the data?
-
If so, what alternatives exist and why are they not viable options in this instance?
-
If not, why not?
-
-
Could your purpose be achieved by processing the data in a different way, which is more obvious or less intrusive?
-
If so, what alternatives exist and why are they not viable options in this instance?
-
If not, why not?
-
Balancing
-
Will your data subjects reasonably expect their data to be used in the way you’re planning to use it?
-
If so, is this assertion supported by any research (eg academic studies)? If so, what are the studies’ titles and authors?
-
-
Are individuals likely to object to the proposed processing of their personal data? If so, why?
-
Does the processing carry any potential risks? If so:
-
What is the likelihood of each risk occurring?
-
How severe would the outcomes be if each risk was to occur?
-
-
Can individuals opt out of the data processing?
-
Are there any measures that can be adopted to minimise the potential risks posed by the processing?
-
Do your interests in the data processing take priority over any risks posed to individuals?
Rules and laws
-
Are there any specific data processing rules that apply to your processing?
-
Will you comply with any other relevant laws to process data (eg the Safeguarding Vulnerable Groups Act 2006)?
-
Do any industry guidelines or codes of practice apply to the organisation?
-
-
Common terms in a Legitimate Interest Assessment
LIAs set out the purposes of intended data processing and analyse whether an organisation has a viable legitimate interest to justify the processing. To do this, this LIA template includes sections headed:
Part 1
This first table sets out basic information about the Assessment, including the organisation’s and reviewer’s names and the review date.
Part 2 - Purpose test
This table sets out information about the purpose of your intended data processing. For example, it explains the expected benefits of the processing for various parties and the potential impacts of its not going ahead. Any specific laws or codes or similar that are to be complied with during the processing are also set out here, alongside any ethical issues relevant to the processing.
Part 3 - Necessity test
This table contains information required to help you analyse whether the data processing is truly necessary. For example, it will set out whether the processing will help you achieve your purpose and whether it is proportionate to this purpose. It also considers alternatives to the processing.
Part 4 - Balancing test
This table starts by identifying any special category personal data that is to be processed and whether the data relates to any particular categories of data subjects (eg children). It analyses whether data subjects are likely to expect their data to be processed in the planned way (eg by considering previous relationships between the organisation and the data subjects).
Lastly, this section considers the likely impacts of the data processing by providing details about risks, safeguards, and whether data subjects are likely to object to the processing.
Part 5 - Decision
This is where the reviewer must indicate the decision they’ve reached as the outcome of the LIA. This indicates whether, based on the analysis conducted via LIA, the organisation can rely on legitimate interest as a legal basis for its intended processing.
If you want your LIA to include further or more detailed provisions, you can edit your document. However, if you do this, you may want a lawyer to review the document for you (or to make the changes for you) to make sure that your modified Legitimate Interest Assessment complies with all relevant laws and meets your specific needs. Use Rocket Lawyer’s Ask a lawyer service for assistance.
-
Legal tips for organisations
Consider alternative processing methods
Legitimate interest is a valid ground for processing personal data, if it is applicable to your situation. However, if you’re unsure if it is applicable (eg if the benefits and risks of your processing are evenly matched when you carry out the balancing test), it may be safer to rely on a different basis for processing. For example, you could obtain data subjects’ consent to the processing. For more information on the available bases, read Processing personal data.
Use data protection policies to help with data protection compliance
This LIA helps you to analyse intended data processing to establish whether you can process data on the ground of legitimate interest. This is only one aspect of data protection compliance. It’s important that your organisation follows good data protection practices in all areas of its operations. Having various data protection policies and documents in place can help you to do this. You should consider making:
-
a data retention policy - setting out what data should be stored or archived, where this should happen, and for how long
-
an Information security policy - outlining security and other related matters (eg how access to equipment will be secured, business continuity arrangements, and how personal data can be protected and recovered)
-
a Privacy policy - outlining your practices for the collection, storage, and use of personal data gathered on a website
-
a privacy notice - informing data subjects about the ‘what, how, where, why and when?’ of how you process their personal data
Ask a lawyer if you need any bespoke policies drafted.
Make sure you comply with data protection law in practice
Carrying out assessments and having the right policies and documents in place is important, but this won’t in itself enable your organisation to comply with data protection law. You must make sure you actually carry out the practices you’ve committed to in your data protection documents, like LIAs. For example, by processing data following the method your analysis was based on and by regularly reviewing documents like the LIA.
For more information, read Data protection and Data protection principles. If you need help you can use our Data protection compliance advice service.
Understand when to seek advice from a lawyer
In some circumstances, it’s good practice to Ask a lawyer for advice to ensure that you’re complying with the law and that you are well protected from risks. You should consider asking for advice if:
-
you obtained the data from third parties and not the data subjects themselves
-
you have any questions about LIAs
-
this document doesn’t meet your specific needs
-
Legitimate Interest Assessment FAQs
-
What should a Legitimate Interest Assessment include?
This Legitimate Interest Assessment template covers:
-
the types of personal data to be processed
-
why your organisation wants to process the data (ie the purpose for processing)
-
the benefits of the processing
-
whether the processing is necessary to help you achieve your purpose
-
what the data subjects’ expectations about your processing are, and whether or not they are likely to understand your purpose
-
the identification and assessment of any risks posed to data subjects
-
the identification of any measures used to reduce or eliminate any risks
-
-
Do I need a Legitimate Interest Assessment?
You must carry out an LIA if your organisation plans to process personal data on the ground of legitimate interest. Your organisation may be able to rely on legitimate interest as long as the processing does not override the fundamental interests, rights and freedoms of the data subjects.
This document offers a streamlined way of completing an LIA, to help you assess your organisation’s specific situation to determine whether you can process personal data on the ground of legitimate interest.
An LIA is used to identify:
-
what that legitimate interest of the processing is
-
the benefits of processing the personal data in the proposed way, and
-
whether such processing is necessary for its purpose
For more information, read Legitimate interest assessments.
-
-
What is legitimate interest?
Legitimate interest is one of the six lawful grounds (or ‘bases’) that may allow the processing (eg obtaining or recording) of personal data (eg names, addresses, or information about racial and ethnic origin). You can rely on the legitimate interest ground where the processing is necessary for your legitimate interests, as long as the processing does not override the fundamental interests, rights, or freedoms of the data subjects (ie the individuals to whom the data relates). For more information, read Processing personal data.
-
What is personal data?
Personal data is information relating to individuals only who can be personally identified from that data (on its own or in conjunction with other data held). Personal data includes names, addresses, telephone numbers, birthdates, job titles, online identifiers (eg IP addresses), and more.
There is a further 'special category’ of 'sensitive personal data' which is awarded greater protection under the law. This includes information about:
-
racial or ethnic origin
-
political opinions
-
religious or similar beliefs
-
trade union membership
-
physical or mental health conditions
-
sexual life
-
biometrics (eg fingerprint data/facial images) and genetics
Criminal offence data (eg personal data relating to criminal convictions and offences or related security measures) is treated separately from personal data and special category personal data, but is subject to even tighter controls.
For more information, read Data protection.
-
-
What is the purpose test?
There’s no set procedure for carrying out LIAs, but an LIA will generally follow a three-part test: the purpose test, the necessity test, and the balancing test.
The purpose test involves you identifying your organisation’s purpose for processing the personal data and deciding whether it counts as a legitimate interest. You should consider:
-
why you want to process the data
-
what benefits are expected from the processing (including benefits for the organisation, any third parties, and the wider public) and how important those benefits are
-
the potential impacts of the processing not going ahead
-
the intended outcomes for individuals
-
whether any specific data protection rules (eg profiling requirements) and other relevant laws (eg specific e-privacy legislation) are complied with
-
whether industry guidelines and/or codes of practice are complied with
-
whether any ethical issues exist in relation to the processing
For more information, read Legitimate interest assessments.
-
-
What is the necessity test?
The necessity test involves you considering whether the processing is actually necessary for the specific purpose identified in the purpose test. You should consider whether:
-
the processing will actually help you to achieve your purpose
-
the processing is proportionate to that purpose
-
the purpose could be achieved without processing the data (or by processing less data)
-
the purpose could be achieved by processing data in another way that is less intrusive or more obvious
If other less intrusive alternatives to processing the data exist, you need to clearly set out in your LIA why these are not reasonable alternatives to your selected processing method.
If it becomes difficult to explain how the processing helps you to achieve your specified purpose, or if many alternative methods exist which aren’t your chosen processing/business model, the purpose may need to be specified more clearly.
For more information, read Legitimate interest assessments.
-
-
What is the balancing test?
The balancing test involves you considering the interests and fundamental rights and freedoms of the data subjects and balancing them against your own interests. In other words, you need to determine whether data subjects’ rights override the legitimate interests you have identified. This will involve considering:
-
the nature of the personal data to be processed
-
the expectations of the data subjects
-
the likelihood of risks that the processing poses to data subjects and whether any measures can be implemented to reduce these risks
If your processing carries a potential for high risk (ie if the potential issues associated with the risk are severe or the likelihood of the risk occurring is probable), you need a compelling legitimate interest to be able to satisfy the balancing test. You will also need to carry out a Data protection impact assessment (DPIA). For more information, read Legitimate interest assessments and Data protection impact assessments.
-
-
How do I determine whether data subjects would expect the processing?
As part of the balancing test, you need to consider whether data subjects would expect their data to be used in the way in which you are using it, taking into account your particular circumstances. Specifically, you should consider:
-
whether your intended purpose and method of processing are widely understood by the data subjects (eg whether or not you informed them about how and why you are processing data by providing them with a privacy notice)
-
how long ago the data was collected and if there have been any changes in technology or context which may affect reasonable expectations (eg any changes in technology that affect the services you provide)
-
whether you are doing something new or innovative with the data (eg processing data in a new or innovative way that individuals may not expect, such as market research involving emotional response analysis and brain imaging)
-
whether actual evidence about expectations exists (eg from market research or pre-existing studies)
For more information, read Legitimate interest assessments.
-
-
How do I know if I can process data on the basis of legitimate interest?
You will need to consider and weigh up all factors for and against the processing, which you have identified in your LIA, to decide if your interests take priority over the risks posed to any individuals. This is not a mathematical exercise and there is an element of subjectivity involved, but you should be as objective as possible. You must be confident that you can demonstrate that the benefit of processing justifies any risks you have identified. Where the risks are more significant or serious, a more compelling justification will be needed.
If it is very difficult to determine an outcome, and you aren’t sure how best to proceed, finding another lawful basis for processing may be safest. Legitimate interest is often not the most appropriate ground for any high-risk processing or for processing that is not reasonably expected by the data subjects.
For more information, read Legitimate interest assessments.
Our quality guarantee
We guarantee our service is safe and secure, and that properly signed Rocket Lawyer documents are legally enforceable under UK laws.
Need help? No problem!
Ask a question for free or get affordable legal advice from our lawyer.