In another blog, we discussed Data Protection Impact Assessments (DPIAs) and whilst much like DPIAs, Legitimate Interests Assessments (LIAs) are used by organisations to undertake risk assessments when processing personal data, they are distinguishable from one another to the extent that they are required in differing circumstances.
When does my organisation need a Legitimate Interests Assessment?
Under the UK General Data Protection Regulation (“GDPR”) Article 6(1), organisations must have a lawful basis for processing personal data. One of the lawful bases is legitimate interests which is considered the most flexible lawful basis for processing personal data.
The lawful basis of legitimate interests may be used when the processing is necessary for an organisation’s legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
Whilst organisations are not legally obliged to have LIAs (whereas DPIAs are legally required), the Information Commissioner’s Office (ICO) recommends that undertaking LIAs is best practice and helps to ensure compliance with the accountability principle under the GDPR.
What should a Legitimate Interests Assessment include?
Whilst there is no legal requirement as to which form a LIA should take, the ICO does provide a template LIA here, consisting of the tripartite test below:
- Purpose test: identifying the legitimate interests the processing is intended to achieve.
- Necessity test: assessing whether the processing is necessary for the purpose(s) of achieving the legitimate interests.
- Balancing test: ensuring that the individual’s interests, rights and freedoms do not override the legitimate interests.
The balancing test above also requires various factors to be considered when weighing legitimate interests against an individual’s interests, rights and freedoms; including the nature of the personal data being processed, whether an individual would reasonably expect their personal data to be processed in this way, what the potential impact on individuals would be resulting from the processing, and whether any safeguards can be adopted to minimise such impact on individuals.
Where the outcome of the balancing test is such that the individual’s interests, rights and freedoms override the legitimate interests, then organisations should not rely on legitimate interests and should instead consider relying on an alternative lawful basis (or not process the personal data in the manner intended if a relevant basis cannot be found).
We have an experienced team that are able to advise on all issues relating to data protection. Please contact our team here if you would like more information or advice.
