What is legitimate interest?
Legitimate interest is one of the 6 lawful grounds (or ‘lawful bases’) for the processing of personal data. An organisation can rely on the legitimate interest ground where the processing is necessary for the legitimate interests of the organisation (also known as the ‘data controller’) or a third party, as long as the processing does not override the fundamental interest, rights and freedoms of the data subject (ie the individual the data relates to).
Legitimate interests can include commercial interests, individual interests or broader societal benefits. For example, the data processing may be in the legitimate interests of an organisation for network and information security or for the prevention of fraud. In some circumstances, activities like processing client or employee data and direct marketing may be considered a legitimate interest. However, organisations still need to identify and show the precise purpose for processing and show that it is legitimate in the specific circumstances.
Read Processing personal data for more information.
Being ‘necessary’
The processing needs to be necessary for the purposes of the legitimate interests the organisation has identified. Being ‘necessary’ means that the processing is a targeted and proportionate way of achieving the relevant purpose. If there is another reasonable and less intrusive way of achieving the same result, the legitimate interest ground will not be appropriate.
Fundamental interests, rights and freedoms
When determining whether the processing overrides the fundamental interest, rights and freedoms of data subjects, organisations should focus on the potential impacts on data subjects, including physical, financial or any other impacts, including causing:
-
an inability to exercise rights (eg data protection rights)
-
loss of control over the use of personal data
-
social and/or economic disadvantages
For more detailed information on legitimate interest, see the Information Commissioner’s Office’s (ICO’s) guidance on the legitimate interest basis.
When can legitimate interest be relied on?
While the legitimate interest ground is the most flexible lawful basis for processing, it won’t always be the most appropriate. Generally, legitimate interest is likely to be most appropriate when:
-
the processing, while not required by law, is of clear benefit to the organisation or others
-
the processing has a limited privacy impact on the data subject
-
the personal data is being used in a way that the data subject would reasonably expect, and
-
the organisation cannot (or does not want to) give the data subject full upfront control (ie consent) or bother them with disruptive consent requests when they are unlikely to object to the processing
Organisations may also be able to rely on the legitimate interests ground if they have a compelling reason for the processing. This is especially the case where the data processing is more intrusive. However, organisations will have to be able to justify the impact on data subjects.
While the legitimate interest ground can be relied on when children’s data is being processed, organisations will need to take extra care to ensure that children’s interests are protected. For more information, read Data protection and children and see the ICO’s guidance on children and the GDPR.
Organisations should generally avoid relying on legitimate interest if they are using personal data in a way that data subjects would not understand or not reasonably expect, or if data subjects would object to the processing if it was explained to them. Processing on the legitimate interest ground should also be avoided where the processing could cause harm unless a compelling reason that justifies the impact exists.
Public authorities cannot rely on the legitimate interest for any processing in connection with the performance of their tasks as a public authority.
For more information, see the ICO’s guidance on when the legitimate interest ground may be appropriate.
What is a legitimate interest assessment?
Whenever an organisation wishes to process personal data in reliance on the legitimate interest ground, it needs to carry out a Legitimate interest assessment (LIA). An LIA is used to identify:
-
what the legitimate interest of the processing is
-
the benefits of processing the personal data in that way, and
-
if such processing is necessary
Where personal data is to be processed on the ground of legitimate interest, an LIA needs to be carried out before any data is processed.
What does an LIA cover?
While there is no set process for LIAs, they generally follow a 3-part test:
-
the purpose test - identifying the legitimate interest
-
the necessity test - considering whether the processing is necessary
-
the balancing test - considering individuals’ interests and balancing them against the organisation’s interests
The purpose test
This involves organisations identifying their purpose for processing and deciding whether it counts as a legitimate interest. Organisations should consider:
-
why they want to process the data
-
what benefits are expected from the processing (including benefits for the organisation, any third parties and the wider public) and how important those benefits are
-
the impact if the processing couldn’t go ahead
-
the intended outcome for individuals
-
whether any specific data protection rules (eg profiling requirements) and other relevant laws (eg specific e-privacy legislation) are complied with
-
whether industry guidelines and/or codes of practice are complied with
-
whether any ethical issues exist in relation to the processing
The UK General Data Protection Regulations (GDPR) sets out that a legitimate interest exists if data is processed for any of the following purposes:
-
the prevention of fraud (provided that it is strictly necessary)
-
network and information security (provided that it is strictly necessary)
-
indicating possible criminal acts or threats to public security
Further, the legitimate interest ground will likely apply if the organisation is processing:
-
client or employee data
-
for direct marketing purposes
-
for intra-group administrative transfers
Where possible, the purpose should be as specific as possible. Having a clearly defined purpose will make carrying out the rest of the assessment (and especially the necessity test) easier. For more information and a worked example, see the ICO’s guidance on carrying out an LIA.
If the purpose test cannot be met, an organisation cannot rely on legitimate interests as a lawful basis for processing.
The necessity test
This involves considering if the processing is actually necessary for the specific purpose identified in the purpose test. Organisations should consider whether:
-
the processing will actually help them achieve their purpose
-
the processing is a proportionate means of achieving that purpose
-
the purpose could be achieved without processing the data (or by processing less personal data)
-
the purpose could be achieved by processing in another less intrusive or more obvious way
If other less intrusive alternatives to processing the data exist, the LIA needs to clearly set out why these are not reasonable alternatives.
If, while completing an LIA, it becomes difficult to explain how the processing helps achieve the specified purpose, or if many alternative methods exist which aren’t the organisation’s chosen business model, the purpose may need to be further specified.
For more information and a worked example, see the ICO’s guidance on carrying out an LIA.
The balancing test
This involves the organisation considering the interests and the fundamental rights and freedoms of the data subject and balancing these against their own interests. In other words, the organisation needs to determine whether data subject rights override the legitimate interests it has identified. This will involve considering:
-
the nature of the personal data to be processed
-
the reasonable expectations of the data subject
-
the likely impact of the processing on the data subject and whether any safeguards can be implemented to reduce any negative impacts
Nature of the data
Organisations should consider the sensitivity of the personal data, specifically:
-
whether the personal data is special category ‘sensitive’ personal data (eg information about physical/mental health) or criminal offence data (eg information about criminal activity) - these are awarded greater protection under data protection laws
-
whether the data is likely to be considered particularly private (eg financial data)
-
whether the personal data relates to children or other vulnerable individuals
-
whether the data is about people in their personal or professional capacity
The more sensitive (or private) personal data is, the more likely it is that the processing will be intrusive or create a significant risk to the data subject’s rights and freedoms (eg putting someone at risk of unlawful discrimination). Where this is the case, organisations will need to have a compelling justification for using the data and will need to take special care to have adequate safeguards in place.
If the personal data is considered less sensitive or private (eg because it concerns data subjects in their work capacity) then the impact may be less. However, organisations will still need to consider its likely impact.
Reasonable expectations
Organisations should consider whether data subjects will reasonably expect the organisation to use their personal data in this way, considering all relevant factors, including:
-
whether there is an existing relationship with the data subject - the legitimate interests ground is more likely to apply where there is a ‘relevant and appropriate relationship’, for example, because the data subject is a client or employee. If there isn’t a pre-existing relationship, it can be harder to demonstrate that the processing can be reasonably expected
-
how the data subject’s data has been used in the past - if data has been used in a similar or the same way, the processing is more likely to be reasonably expected
-
whether the data was collected directly from the data subject and, if so, what they were told at the time - eg information may have been provided in a privacy notice
-
whether the data was obtained from a third party (eg a party that collects data via a mobile application and uploads it to its servers) and, if so, what they told the data subjects about the reuse of the data by others - depending on what data subjects were told, they may be less likely to reasonably expect this type of further processing
-
when the data was collected and whether there have been any changes that may affect current expectations - eg changes to technology, such as the introduction of certain AI technologies
-
whether the organisation’s intended purpose is obvious or widely understood - the more obvious/widely understood the intended purpose, the more likely that the processing is reasonably expected
-
whether the organisation is planning to do something new or innovative - new or innovative use of personal data may be less reasonably expected
-
whether actual evidence about expectations exists - eg from market research or studies
-
any fact-specific factors that indicate that data subjects may or may not reasonably expect the processing
Organisations do not have to show that every individual would expect their data to be used in this way, but that a reasonable person would expect their data to be used in this way in light of the specific circumstances.
Organisations may consider carrying out consultations, focus groups or market research if the processing’s purpose and method are not immediately obvious and people may have a range of reasonable expectations regarding the processing. This will help demonstrate expectations and support the organisation’s position. Organisations may, as part of their determination, also wish to rely on any pre-existing studies regarding reasonable expectations in such a context.
Safeguards
Organisations need to consider the potential impact on data subjects and any damage the processing may cause. As a first step, organisations should consider whether the processing is inherently likely to result in a high risk to individuals’ rights and freedoms (eg as the processing of biometric data like fingerprint data/facial images likely would). If this is the case, a Data protection impact assessment (DPIA) will need to be carried out. For more information on this, read Processing high-risk personal data and DPIAs. Consider following the ICO’s DPIA screening checklist to determine whether a DPIA is needed.
If the processing is not likely to result in a high risk, a risk assessment still needs to be carried out to consider whether the processing may cause any harm to the data subject’s interests, rights and freedoms. Organisations should consider whether the data processing could contribute to:
-
the inability to exercise rights (eg privacy rights)
-
the inability to access services/opportunities
-
the loss of control over the use of personal data
-
identity theft/fraud
-
financial or physical harm
-
any other significant economic or social disadvantage (eg discrimination, loss of confidentiality or reputational damage)
Both the likelihood and severity of any possible harm should be considered.
The likelihood of possible harm can be remote (ie it's possible that the harm may occur, but not likely), possible (ie the harm may happen or reoccur on a semi-regular basis) or probable (ie the harm is reoccurring on a regular basis).
The severity of the possible harm can be:
-
minimal - involving short-term minimal embarrassment to an individual, small amounts of personal data of the data subject, and/or minimal disruption or inconvenience in service delivery to the individual
-
significant - involving significant amounts of personal data being transferred outside of the organisation, leading to significant actual or potential detriment including emotional distress, as well as both physical and financial damage and/or safeguarding concerns
-
severe - involving significant amounts of personal data being transferred outside of the organisation leading to a proven detriment and/or high risk safeguarding concerns. Data subjects may encounter significant/ irreversible consequences that they may not overcome (eg financial jeopardy)
If a potential for a high risk is identified (due to a chance of severe harm and/or a probable likelihood of harm), the organisation will need a compelling legitimate interest to satisfy the balancing test (ie it will need to demonstrate that its legitimate interests can override a serious impact). Where a high risk is identified, a DPIA must be completed. Where there is a lower risk of harm, this needs to be weighed against the potential benefits of the processing.
Organisations should consider whether any safeguards (eg collecting less data or providing an opt-out) could be implemented to reduce the risk. Implementing such safeguards may result in the data subject’s interests no longer overriding the organisation’s interests while bearing in mind that safeguards don’t necessarily justify the processing.
For more information and a worked example, see the ICO’s guidance on carrying out an LIA.
How to decide on an outcome after carrying out an LIA
Organisations will need to consider and weigh up all factors (for and against the processing) identified in the LIA. They will then need to decide whether their interests still take priority over the risks to any individuals. This is not a mathematical exercise and there is an element of subjectivity involved, but organisations should be as objective as possible. Organisations must be confident that they can demonstrate that the benefit of processing justifies any risks they have identified. Where the risks are more significant or serious, a more compelling justification will be needed.
If it is very difficult to determine an outcome and an organisation isn’t sure how best to proceed, finding another lawful basis for processing may be safest. This is because legitimate interest is not the most appropriate ground for any unexpected or high-risk processing.
For a worked example, read the ICO’s guidance on carrying out an LIA.
What happens after an LIA is completed?
Where an LIA has been completed, and the processing takes place on the basis of legitimate interest, the LIA must be regularly reviewed. An LIA may need to be repeated if there are any significant changes (eg to the nature, scope, context or purposes of the data processing) that may affect the balance between the organisation’s interests and the risks to the individual.
How are LIAs and DPIAs connected?
While similarities between LIAs and DPIAs exist, an LIA is a simpler form of risk assessment designed for organisations to properly identify their purpose and consider its impact on individuals. An LIA is needed whenever data is to be processed on the legitimate interest ground, and there are no requirements to detail content or processes involved, provided that the processing is justifiable. On the other hand, a DPIA is a more in-depth process, with specific requirements regarding content and processes. DPIAs are required, irrespective of the lawful basis for processing, whenever the potential processing is likely to result in high risk.
However, organisations should be aware that there is some overlap between LIAs and DPIAs. It is sensible to incorporate the DPIA screening checklist into the LIA balancing test if data that is likely to result in high risk is being processed. This may help identify potential risks to individuals.
Further, LIAs may act as a trigger for DPIAs, where an LIA identifies the potential for high risks to individuals’ rights and freedoms. Where this is the case, a DPIA must be carried out.
It’s important to note that organisations don’t necessarily have to carry out an LIA in addition to a DPIA. As a DPIA covers the same grounds as an LIA, but in greater detail, a DPIA can be used instead of an LIA to demonstrate precisely how the legitimate interest ground applies.
For more information on DPIAs, read Processing high-risk personal data and DPIAs.
Ask a lawyer if you have any questions or require assistance. Consider using our GDPR compliance service to ensure your business complies with all relevant data protection laws.
