The legitimate interest assessment under the UK GDPR

If your company decides to process personal data on the legal basis of legitimate interests, a so-called legitimate interest assessment (LIA) must be performed. The UK General Data Protection Regulation (UK GDPR) does not explicitly require performing an LIA; however, the Information Commissioner’s Office (ICO) states that not carrying out an LIA will make it difficult to meet the obligations under the accountability principle. We will show you when you need to carry out an LIA, how to conduct one and the consequences of its outcome.

Legitimate interest

To lawfully process personal data, your company needs a legal basis for the processing. The UK GDPR stipulates the grounds on which personal data can be processed:

  • Data subject’s consent;
  • Contract or potential contract with an individual;
  • Complying with legal obligations;
  • Protecting vital interests of the data subject or another natural person;
  • Performing a task carried out in the public interest or in the exercise of official authority; or
  • Legitimate interests.

Legitimate interest is often used as a fall back clause to legitimate the processing of personal data. However, there are actually several hurdles to overcome. Such legitimate interest could exist, for example, where there is individual interest, commercial interest or broader societal interest. Moreover, they can be your company’s own interests (e.g., protection of property) and also the interests of third parties (e.g., video surveillance for tenants). However, legitimate interests can only be used as basis for data processing if your legitimate interests outweigh the interests of the data subjects.

Hence, if your company can justify the processing on legitimate interest, you need to perform an LIA.

How to perform a step-by-step legitimate interest assessment

An LIA should be conducted prior to the processing of personal data on the basis of legitimate interest. The ICO has clarified that an ex post LIA is not sufficient. Moreover, the assessment as well as the decision should be documented in order to demonstrate compliance with UK GDPR and in particular, the accountability principle.

While there is no predetermined process to conduct an LIA, the ICO has provided an LIA sample template, which can be used by companies. However, the assessment needs to include at least these three aspects, also referred to as the three-part test:

  1. The purpose test: identification of the legitimate interest(s);
  2. The necessity test: considering the necessity of the processing;
  3. The balancing test: considering the individuals’ interests.

The relevant factors for each test are set out in the ICO’s LIA template. We included them below to provide you with all relevant information. When conducting each test, it is important to consider all relevant factors irrespective of whether they support the final conclusion. This enables you to demonstrate that all relevant aspects have been considered before reaching a conclusion.

Purpose test

Under the purpose test, you need to identify the processing purpose and decide whether the purpose can be considered a legitimate interest. The ICO set out some questions that should be addressed when conducting the purpose test:

  • Why do you want to process the data?
  • What benefit do you expect to get from the processing?
  • Do any third parties benefit from the processing?
  • Are there any wider public benefits to the processing?
  • How important are those benefits?
  • What would the impact be if you could not go ahead?
  • What is the intended outcome for individuals?
  • Are you complying with other relevant laws?
  • Are you complying with industry guidelines or codes of practice?
  • Are there any ethical issues with the processing?

The UK GDPR lists some interests that are specifically considered legitimate, like fraud prevention, network and information security or the indication of possible criminal acts or threats to public security. Hence, depending on the circumstances of the respective case, a brief LIA can be sufficient. On the other hand, intra-group administrative transfers and marketing are mentioned as potentially legitimate interests in the UK GDPR, and in these cases, more detailed LIAs are usually necessary.

Necessity test

Once you have identified a legitimate purpose, assess whether the data processing is necessary for the identified purpose. The ICO set out a number of aspects to consider:

  • Will the processing actually help to achieve the purpose?
  • Is the processing proportionate to that purpose?
  • Is it possible to achieve the purpose without processing the data, or by processing less data?
  • Is it possible to achieve the purpose by processing the data in another or less intrusive way?

Balancing test

In the balancing test, you need to weigh the rights and freedoms of the individual against the legitimate interests you identified. According to the ICO, you should at least take the following aspects into account:

In this step, you have to consider the sensitivity of the data. According to the ICO, it should be determined whether the data falls under any of the following categories:

  • Special category data;
  • Criminal offence data;
  • Another type of data that people are likely to consider particularly “private”, e.g., financial data;
  • Children’s data or data relating to other vulnerable individuals; or
  • Whether the data relates to people in their personal or professional capacity.

The more sensitive or “private” the data, the more likely it is that the processing entails significant risks for the rights and freedoms of individuals. To use these types of data, it is usually required to have a more compelling interest (e.g., fraud prevention or indication of criminal acts) and particular emphasis must be placed on providing adequate safeguards. A common safeguard is, for example, the encryption of data.

In addition, you have to consider whether the data subjects expect you to process their data the way you would in that particular circumstance. This does not require demonstrating that every person actually expects you to use their data in a certain way. It only has to be shown that from the perspective of a reasonable person, the data processing would be expected.

The ICO set out relevant factors that should be taken into account:

  • Is there an existing relationship with the individual? If yes, what is its nature?
  • How has the individual’s data been used in the past?
  • Has the data been collected directly from the individual?
  • What information has been given to the individuals at the time?
  • If the data has been obtained from a third party, what did they tell individuals about the reuse of the data by third parties for other purposes?
  • How long ago was the data collected? Are there any changes in technology or other context since that time that would affect current expectations?
  • Is the intended purpose and method obvious or widely understood?
  • Is it intended to do anything new or innovative?
  • Is there any actual evidence about expectations, e.g., from market research, focus groups or other forms of consultation?
  • Are there any other factors, given the particular circumstances that indicate that individuals would or would not expect the processing?

Finally, you have to determine how the processing may potentially impact individuals and what damage it might cause. In particular, you should assess whether the processing might cause harm to individual interests, rights and freedoms. Hereby, the likelihood and severity of any harm has to be considered. The ICO recommends to take into account the following aspects:

  • Whether the processing constitutes a barrier to individuals exercising their rights (including but not limited to privacy rights);
  • Whether the processing constitutes a barrier to individuals accessing services or opportunities;
  • Whether the processing might cause the loss of control over further uses of their personal data;
  • Whether the processing contributes to the risk of physical harm;
  • Whether the processing contributes to the risk of financial loss, identity theft or fraud; or
  • Any other significant economic or social disadvantage (discrimination, loss of confidentiality or reputational damage).

If you identify a high risk for individual interests, rights and freedoms, the legitimate interest of your company has to be compelling enough to outweigh these risks in order to pass the balancing test. This makes it necessary to conduct a data protection impact assessment (DPIA). In a DPIA, you assess the risks of the proposed data processing, its necessity and proportionality, and any mitigating measures to counter the assessed risks. Compared to the LIA, the DPIA is a more in-depth assessment, for which the process and content must meet additional minimum requirements.

If you identify lower risks, you only have to weigh these against the benefits that could be derived from the processing. Finally, you should consider the safeguards that can be put in place in order to mitigate the identified risks.

Determining the outcome of an LIA

To determine the outcome of the LIA, all relevant factors that have been identified during the assessment should be weighed against each other in order to assess whether the individual interests or the company’s interests prevail. You should review and update this decision if the legitimate interest and/or the processing are altered in a way that could influence the LIA’s outcome.

If the LIA indicates that the potential impact of the data processing outweighs the legitimate interests, the respective data cannot be processed on the basis of legitimate interests. In this case, you have to consider whether there are other lawful grounds for the data processing provided by the UK GDPR.