Profile information Account settings
Sign up Log in

MAKE YOUR FREE Legitimate interest assessment (LIA)

  • Make your document in minutes
  • Access from any device
  • Securely sign online
Make document

How to make a Legitimate interest assessment (LIA)

Create a legitimate interest assessment (LIA) to identify whether you can process personal data on the ground of legitimate interest.

Recently reviewed by Lauren Delin, Solicitor.

This LIA was last reviewed on 17 February 2022.

Legitimate interest is one of the six lawful grounds for the processing (eg obtaining or recording) of personal data (eg names, addresses and information about racial or ethnic origin). You can rely on the legitimate interest ground where the processing is necessary for your legitimate interest, as long as the processing does not override the fundamental interest, rights and freedoms of the data subject (ie the individual the data relates to). Read Processing personal data for more information.

Where you want to process personal data in reliance on the legitimate interest ground, your need to carry out an LIA. An LIA is used to identify:

  • what that legitimate interest of the processing is

  • the benefits of processing the personal data in that way

  • if such processing is necessary

Where personal data is to be processed on the ground of legitimate interest, an LIA needs to be carried out before any data is processed.

Use this LIA:

  • if you want to process personal data on the ground of legitimate interest

  • where you got the personal data from the data subjects themselves (and not from third parties, such as service providers)

  • where you and the data subjects are based in the UK

This LIA covers:

  • the types of personal data

  • why you want to process the data (ie the purpose for processing)

  • the benefits of the processing 

  • if the processing is necessary to help you achieve your purpose

  • what the data subject’s expectations about your processing are, and if they understand your purpose

  • the identification and assessment of any risks to data subjects

  • the identification of any measures to reduce or eliminate any risks

LIAs need to be completed where personal data is to be processed on the ground of legitimate interest provided that the processing does not override the fundamental interest, rights and freedoms of the data subjects. An LIA helps you determine whether you can process personal data on this ground, by helping you assess your specific situation. For more information, read Legitimate interest assessments.

Before you carry out your LIA you should consider:

  • what data is being processed and why

  • what the benefits of you processing the data are (ie consider the benefits for you and society as a whole)

  • if the data processing is actually helping you achieve your purpose and if legitimate interest is the most appropriate basis for processing                         

  • if individuals would expect you to process their data in this way

  • how you will ensure that individuals’ rights in relation to their data will be implemented and supported

  • any potential risks associated with your processing of the data, and how these could be reduced

  • whether you can achieve the same result in any other way (especially if that way may be less intrusive)

Consider familiarising yourself with the LIA process by reading Legitimate interest assessments.

Personal data is information relating to individuals only who can be personally identified from that data (on its own or with other data held). Personal data includes names, addresses, telephone numbers, birthdates, job titles and online identifiers (eg IP addresses).

There is a further 'special category’ of 'sensitive personal data' which is awarded greater protection under the law and includes information about:

  • racial or ethnic origin

  • political opinions

  • religious or similar beliefs

  • trade union membership

  • physical or mental health or condition

  • sexual life

  • biometrics (eg fingerprint data/facial images) and genetics

While criminal offence data (personal data relating to criminal convictions and offences or related security measures) is treated separately from personal data and special category special data, it is subject to even tighter controls. 

For more information on personal data, read Data protection.

The purpose test involves you identifying your purpose for processing the personal data and deciding whether it counts as a legitimate interest. You should consider:

  • why you want to process the data

  • what benefits are expected from the processing (including benefits for the organisation, any third parties and the wider public) and how important those benefits are

  • the impact if the processing couldn’t go ahead

  • the intended outcome for individuals

  • whether any specific data protection rules (eg profiling requirements) and other relevant laws (eg specific e-privacy legislation) are complied with

  • whether industry guidelines and/or codes of practice are complied with

  • if any ethical issues exist in relation to the processing

For more information, read Legitimate interest assessments.

The necessity test involves you considering if the processing is actually necessary for the specific purpose identified in the purpose test. You should consider if:

  • the processing will actually help you achieve your purpose

  • the processing is proportionate to that purpose

  • the purpose could be achieved without processing the data (or by processing less data)

  • the purpose could be achieved by processing in another less intrusive or more obvious way

If other less intrusive alternatives to processing the data exist, you need to clearly set out why these are not reasonable alternatives in your LIA. 

If it becomes difficult to explain how the processing helps you achieve your specified purpose, or if many alternative methods exist which aren’t your chosen business model, the purpose may need to be further specified.

For more information, read Legitimate interest assessments.

The balancing test involves you considering the interests and fundamental rights and freedoms of the data subject and balancing them against your own interests. In other words, you need to determine whether data subjects’ rights override the legitimate interests you have identified. This will involve considering:

  • the nature of the personal data to be processed

  • the expectations of the data subjects

  • the likely risks of the processing for the data subject and if any measures can be implemented to reduce such risks

If your processing carries a potential for high risk (if the potential risk is severe or the likelihood of the risk occurring is probable), you need a compelling legitimate interest to be able to satisfy the balancing test. You will also need to carry out a Data protection impact assessment (DPIA). For more information, read Legitimate interest assessments and Data protection impact assessments.

As part of the balancing test, you need to consider whether data subjects would expect their data to be used in the way in which you are using it, taking into account your particular circumstances. Specifically, you should consider if:

  • your intended purpose and method of processing are widely understood by the data subjects (eg you informed them about how and why you are processing data by providing them with a privacy notice)

  • how long ago the data was collected and if there have been any changes in technology or context which may affect reasonable expectations (eg any changes in technology that affect the services you provide)

  • you are doing something new or innovative with the data (eg processing data in a new or innovative way that individuals may not expect, such as market research involving emotional response analysis and brain activity)

  • actual evidence about expectations exists (eg from market research or pre-existing studies)

For more information, read Legitimate interest assessments.

You will need to consider and weigh up all factors for and against the processing identified in your LIA, to decide if your interests take priority over the risks to any individuals. This is not a mathematical exercise and there is an element of subjectivity involved, but you should be as objective as possible. You must be confident that you can demonstrate that the benefit of processing justifies any risks you have identified. Where the risks are more significant or serious, a more compelling justification will be needed.

If it is very difficult to determine an outcome, and you aren’t sure how best to proceed, finding another lawful basis for processing may be safest. This is because legitimate interest is not the most appropriate ground for any high-risk processing or processing not reasonably expected by the data subjects.

For more information, read Legitimate interest assessments.

Ask a lawyer for advice if:

  • you obtained the data from third parties and not the data subjects

  • you have any questions about LIAs

  • this document doesn’t meet your specific needs

This LIA is governed by the law of England, Wales and Scotland.

Other names for Legitimate interest assessment (LIA)

LIA, Legitimate interests assessment, Legitimate interest impact assessment, Assessment of legitimate interests.