Create a legitimate interest assessment (LIA) to identify whether you can process personal data on the ground of legitimate interest.
Recently reviewed by Lauren Delin, Solicitor.
This LIA was last reviewed on 17 February 2022.
Answer a few questions to customise your document in minutes
Save progress and finish on any device; download & print anytime
Securely sign online and invite others to sign
Create a legitimate interest assessment (LIA) to identify whether you can process personal data on the ground of legitimate interest.
Recently reviewed by Lauren Delin, Solicitor.
This LIA was last reviewed on 17 February 2022.
Legitimate interest is one of the six lawful grounds for the processing (eg obtaining or recording) of personal data (eg names, addresses and information about racial or ethnic origin). You can rely on the legitimate interest ground where the processing is necessary for your legitimate interest, as long as the processing does not override the fundamental interest, rights and freedoms of the data subject (ie the individual the data relates to). Read Processing personal data for more information.
Where you want to process personal data in reliance on the legitimate interest ground, your need to carry out an LIA. An LIA is used to identify:
what that legitimate interest of the processing is
the benefits of processing the personal data in that way
if such processing is necessary
Where personal data is to be processed on the ground of legitimate interest, an LIA needs to be carried out before any data is processed.
Use this LIA:
if you want to process personal data on the ground of legitimate interest
where you got the personal data from the data subjects themselves (and not from third parties, such as service providers)
where you and the data subjects are based in the UK
This LIA covers:
the types of personal data
why you want to process the data (ie the purpose for processing)
the benefits of the processing
if the processing is necessary to help you achieve your purpose
what the data subject’s expectations about your processing are, and if they understand your purpose
the identification and assessment of any risks to data subjects
the identification of any measures to reduce or eliminate any risks
LIAs need to be completed where personal data is to be processed on the ground of legitimate interest provided that the processing does not override the fundamental interest, rights and freedoms of the data subjects. An LIA helps you determine whether you can process personal data on this ground, by helping you assess your specific situation. For more information, read Legitimate interest assessments.
Before you carry out your LIA you should consider:
what data is being processed and why
what the benefits of you processing the data are (ie consider the benefits for you and society as a whole)
if the data processing is actually helping you achieve your purpose and if legitimate interest is the most appropriate basis for processing
if individuals would expect you to process their data in this way
how you will ensure that individuals’ rights in relation to their data will be implemented and supported
any potential risks associated with your processing of the data, and how these could be reduced
whether you can achieve the same result in any other way (especially if that way may be less intrusive)
Consider familiarising yourself with the LIA process by reading Legitimate interest assessments.
Personal data is information relating to individuals only who can be personally identified from that data (on its own or with other data held). Personal data includes names, addresses, telephone numbers, birthdates, job titles and online identifiers (eg IP addresses).
There is a further 'special category’ of 'sensitive personal data' which is awarded greater protection under the law and includes information about:
racial or ethnic origin
political opinions
religious or similar beliefs
trade union membership
physical or mental health or condition
sexual life
biometrics (eg fingerprint data/facial images) and genetics
While criminal offence data (personal data relating to criminal convictions and offences or related security measures) is treated separately from personal data and special category special data, it is subject to even tighter controls.
For more information on personal data, read Data protection.
The purpose test involves you identifying your purpose for processing the personal data and deciding whether it counts as a legitimate interest. You should consider:
why you want to process the data
what benefits are expected from the processing (including benefits for the organisation, any third parties and the wider public) and how important those benefits are
the impact if the processing couldn’t go ahead
the intended outcome for individuals
whether any specific data protection rules (eg profiling requirements) and other relevant laws (eg specific e-privacy legislation) are complied with
whether industry guidelines and/or codes of practice are complied with
if any ethical issues exist in relation to the processing
For more information, read Legitimate interest assessments.
The necessity test involves you considering if the processing is actually necessary for the specific purpose identified in the purpose test. You should consider if:
the processing will actually help you achieve your purpose
the processing is proportionate to that purpose
the purpose could be achieved without processing the data (or by processing less data)
the purpose could be achieved by processing in another less intrusive or more obvious way
If other less intrusive alternatives to processing the data exist, you need to clearly set out why these are not reasonable alternatives in your LIA.
If it becomes difficult to explain how the processing helps you achieve your specified purpose, or if many alternative methods exist which aren’t your chosen business model, the purpose may need to be further specified.
For more information, read Legitimate interest assessments.
The balancing test involves you considering the interests and fundamental rights and freedoms of the data subject and balancing them against your own interests. In other words, you need to determine whether data subjects’ rights override the legitimate interests you have identified. This will involve considering:
the nature of the personal data to be processed
the expectations of the data subjects
the likely risks of the processing for the data subject and if any measures can be implemented to reduce such risks
If your processing carries a potential for high risk (if the potential risk is severe or the likelihood of the risk occurring is probable), you need a compelling legitimate interest to be able to satisfy the balancing test. You will also need to carry out a Data protection impact assessment (DPIA). For more information, read Legitimate interest assessments and Data protection impact assessments.
As part of the balancing test, you need to consider whether data subjects would expect their data to be used in the way in which you are using it, taking into account your particular circumstances. Specifically, you should consider if:
your intended purpose and method of processing are widely understood by the data subjects (eg you informed them about how and why you are processing data by providing them with a privacy notice)
how long ago the data was collected and if there have been any changes in technology or context which may affect reasonable expectations (eg any changes in technology that affect the services you provide)
you are doing something new or innovative with the data (eg processing data in a new or innovative way that individuals may not expect, such as market research involving emotional response analysis and brain activity)
actual evidence about expectations exists (eg from market research or pre-existing studies)
For more information, read Legitimate interest assessments.
You will need to consider and weigh up all factors for and against the processing identified in your LIA, to decide if your interests take priority over the risks to any individuals. This is not a mathematical exercise and there is an element of subjectivity involved, but you should be as objective as possible. You must be confident that you can demonstrate that the benefit of processing justifies any risks you have identified. Where the risks are more significant or serious, a more compelling justification will be needed.
If it is very difficult to determine an outcome, and you aren’t sure how best to proceed, finding another lawful basis for processing may be safest. This is because legitimate interest is not the most appropriate ground for any high-risk processing or processing not reasonably expected by the data subjects.
For more information, read Legitimate interest assessments.
Ask a lawyer for advice if:
you obtained the data from third parties and not the data subjects
you have any questions about LIAs
this document doesn’t meet your specific needs
This LIA is governed by the law of England, Wales and Scotland.
Find trusted documents for hundreds of purposes. Answer a few questions to customise them to your needs & sign online in seconds.
Create as many legal documents as you want, ask legal questions, and get advice from On Call Lawyers. It's easy to cancel at any time.
Your documents are stored securely online so you can access them from any device when you need to.
Our documents are created and reviewed by lawyers and legal professionals, so you can be confident when creating your next contract.
Answer a few simple questions to make your Legitimate interest assessment (LIA) in minutes
Make documentWe use cookies to provide the best experience