How do we apply legitimate interests in practice?
In detail
- What do we need to do in practice?
- Why do we need to do an LIA?
- What’s the process for an LIA?
- How do we decide the outcome?
- What happens next?
- How does this tie in to DPIAs?
What do we need to do in practice?
You need to assess each part of the three-part test, and document the outcome so that you can demonstrate that legitimate interests applies. We refer to this as a ‘legitimate interests assessment’ or LIA (although this terminology does not itself appear in the UK GDPR).
An LIA is a type of light-touch risk assessment based on the specific context and circumstances of the processing.
You need to record your LIA and the outcome. There is no specific requirement in the UK GDPR for you to do this. However, in practice you are likely to need an audit trail of your decisions and justification for processing on the basis of legitimate interests.
There is no one-size-fits-all approach to an LIA. Sometimes your LIA might be quite short, but in other situations it may be much more detailed, or identify the need for a DPIA.
Other resources
Why do we need to do an LIA?
There is no obligation in the UK GDPR to do an LIA, but it is best practice to conduct one and it is difficult to meet your obligations under the accountability principle without it.
The LIA encourages you to ask yourself the right questions about your processing and objectively consider what the reasonable expectations of the individuals are and any impact of the processing on them.
Conducting an LIA helps you ensure that your processing is lawful. It helps you to think clearly and sensibly about your processing and the impact it could have on the individual.
Recording your LIA also helps you demonstrate compliance with the principles and appropriate organisational measures in line with your accountability obligations under Articles 5(2) and 24.
What’s the process for an LIA?
As your LIA determines if the legitimate interests basis applies, you must perform it before you start processing the data. You cannot start processing the data then retrospectively try and apply legitimate interests. Your processing is unlawful without a lawful basis, and this will lead to inevitable breaches of transparency and accountability requirements.
There’s no defined process, but you should approach the LIA by following the three-part test:
- The purpose test (identify the legitimate interest);
- The necessity test (consider if the processing is necessary); and
- The balancing test (consider the individual’s interests).
The LIA doesn’t have to take any particular form, although you can use our template if you find it helpful. However, you need to address each part of the three-part test and record the outcome. You should record all the relevant factors, whether or not they support your conclusion, as this shows that you have taken everything into account prior to making your decision.
1. How do we do the purpose test?
You need to identify your purpose and decide whether it counts as a legitimate interest. Be as specific as possible, as this helps you when it comes to the necessity and balancing tests.
You should ask:
- Why do you want to process the data?
- What benefit do you expect to get from the processing?
- Do any third parties benefit from the processing?
- Are there any wider public benefits to the processing?
- How important are those benefits?
- What would the impact be if you couldn’t go ahead?
- What is the intended outcome for individuals?
- Are you complying with other relevant laws?
- Are you complying with industry guidelines or codes of practice?
- Are there any ethical issues with the processing?
You should also check whether you are using data for one of the following purposes (in which case the UK GDPR specifically says that these are legitimate interests, and, depending on the circumstances, your LIA could be quite brief):
- fraud prevention (to the extent strictly necessary);
- network and information security (to the extent strictly necessary); or
- indicating possible criminal acts or threats to public security.
Note that although intra-group administrative transfers and marketing are mentioned in the UK GDPR as potential legitimate interests, you are likely to need a more detailed LIA and cannot assume that this purpose is enough on its own to help justify your processing. For more information, see the section on When can we rely on legitimate interests?.
Example
Lenders share data with Credit Reference Agencies (CRAs) about the payments made by an individual on an account. That data is then shared with any other lender that the individual makes an application to, so they can assess the individual’s ability and inclination to repay a loan.
- The lender wants to accurately assess the likelihood that they will get back the money they lend out.
- The benefit is to minimise the risk of bad debts and ensure that the lender makes sustainable lending decisions to achieve a reasonable overall rate of return.
- It is also in the interests of the individual making the application that lenders make responsible lending decisions and don’t allow them to become overburdened with debt they can’t afford.
- Finally, it is in the interests of the public that lenders can make accurate risk assessments when making lending decisions. Without this, lenders may be less willing to lend, or at least lend at a reasonable interest rate.
- These benefits are vital to the proper functioning of the credit system.
- The intended outcome for the individual is that they will either be granted or refused credit on the basis of their ability to repay.
- The lenders comply with relevant consumer credit laws and standards.
The lenders have demonstrated a clear and specific legitimate interest, and have a good foundation for demonstrating necessity and objectively considering the balance of interests.
2. How do we do the necessity test?
You must consider carefully whether the processing is actually necessary for the purpose you have identified in step one.
You need to ask:
- Will the processing actually help you achieve your purpose?
- Is the processing proportionate to that purpose, or could it be seen as using a sledgehammer to crack a nut?
- Can you achieve your purpose without processing the data, or by processing less data?
- Can you achieve your purpose by processing the data in another more obvious or less intrusive way?
Be honest in your consideration of whether the processing is necessary. If on the face of it there are potentially other less intrusive alternatives you need to be clear in your LIA why these are not reasonable alternatives.
If you find it difficult to explain how the processing helps achieve your objective, or there are many alternative methods which simply aren’t your chosen business model, you may need to go back to step one and be more specific about your purpose. A clearly defined purpose should make the necessity test easier to navigate.
3. How do we do the balancing test?
You need to consider the interests and fundamental rights and freedoms of the individual, and whether these override the legitimate interests you have identified.
There is no exhaustive list of what you should take into account when conducting the balancing test. However you should as a minimum consider:
- the nature of the personal data you want to process;
- the reasonable expectations of the individual; and
- the likely impact of the processing on the individual and whether any safeguards can be put in place to mitigate negative impacts.
Nature of the data
You need to think about the sensitivity of the personal data you intend to process. For example:
- Is it special category data?
- Is it criminal offence data?
- Is it another type of data that people are likely to consider particularly ‘private’, for example financial data?
- Are you processing children’s data or data relating to other vulnerable individuals?
- Is it data about people in their personal or professional capacity?
The more sensitive or ‘private’ the data, the more likely the processing is to be considered intrusive or to create significant risks to the individual’s rights and freedoms. For example, by putting them at risk of unlawful discrimination. You are likely to need a more compelling reason to use this type of data, and take particular care to put adequate safeguards in place.
In contrast, if the processing involves personal data which is considered less sensitive or private, such as that of individuals in their work capacity, then it may be that the impact is less (although you should still give some thought to the likely impact).
Example
An employer asks its employees to provide emergency contact details of a family member or friend in case they have an accident or become seriously ill at work.
It is not practical for the employer to have consent from the family or friends of all its employees in order to process their contact details for the purposes of being used in an emergency. The employer therefore considers if the legitimate interests basis applies.
The employer considers that being able to contact an individual’s designated family member or friend in an emergency is a legitimate interest as a responsible employer. It also notes that it is in the interests of the employee that a family member or friend knows about the emergency and likewise it is in the interests of nominated person to be told.
It decides that asking employees to provide the personal data of other individuals is necessary for this purpose and that there is no other reasonable way of achieving the purpose.
The employer goes on to consider the balancing test. It takes into account that the data that it will be processing is not sensitive (names and contact details) and determines that the impact of holding these details in case of an emergency is minimal. The employer decides that only its HR department will have access to the contact details and will ensure that these details can only be used in an actual emergency. It determines that the balance favours their legitimate interest in processing the data.
Reasonable expectations
You need to consider whether people will reasonably expect you to use their data in this way in the particular circumstances. You should consider all relevant factors, including:
- Do you have an existing relationship with the individual? If so, what is the nature of that relationship?
- How have you used their data in the past?
- Did you collect data directly from the individual?
- What did you tell individuals at the time?
- If you obtained the data from a third party, what did they tell individuals about reuse of the data by third parties for other purposes?
- How long ago was the data collected? Are there any changes in technology or other context since that time that would affect current expectations?
- Is your intended purpose and method obvious or widely understood?
- Are you intending to do anything new or innovative?
- Do you have any actual evidence about expectations, eg from market research, focus groups or other forms of consultation?
- Are there any other factors in the particular circumstances that mean they would or would not expect the processing?
This is an objective test. You do not have to show that every individual does in fact expect you to use their data in this way. Instead, you have to show that a reasonable person would expect the processing in light of the particular circumstances.
If your purpose and method of processing is not immediately obvious and there is the potential for a range of reasonable opinions about whether people would expect it, you may wish to carry out some form of consultation, focus group or market research with individuals to demonstrate expectations and support your position. If there are pre-existing studies in regard to reasonable expectations in a particular context, you may be able to draw on these as part of your determination of what individuals may or may not expect.
Impact and safeguards
You need to consider the potential impact on individuals and any damage that your processing might cause.
Firstly, you should consider whether your processing is of a type inherently likely to result in a high risk to individuals’ rights and freedoms. If so, you need to do a DPIA, which can also function as your LIA. If you do a DPIA, there is no need to do a separate LIA as it covers the same ground in more detail. You can use our DPIA screening checklist to identify whether the processing is of a type likely to result in high risk.
If you decide you do not need to do a DPIA, you still need to do a lighter-touch risk assessment to consider whether your processing might cause any harm to individuals’ interests, rights and freedoms, even if this falls short of a high risk. You should in particular think about whether your processing might contribute to:
- a barrier to individuals exercising their rights (including but not limited to privacy rights);
- a barrier to individuals accessing services or opportunities;
- any loss of control over the further use of personal data;
- physical harm;
- financial loss, identity theft or fraud; or
- any other significant economic or social disadvantage (such as discrimination, loss of confidentiality or reputational damage).
You should look at both the likelihood and severity of any harm.
If you identify the potential for a high risk (either due to a chance of severe harm or a high likelihood of some harm), you need a much more compelling legitimate interest to satisfy the balancing test. You need to demonstrate that your legitimate interests can override a serious impact. This also triggers the need for a DPIA to assess those risks in more detail, even if you had not hit a specific trigger on the screening checklist.
If you identify a lower risk of some harm, you need to weigh this against the potential benefits of the processing.
You may also wish to consider if there are any safeguards that you could put in place to reduce or mitigate this risk. For example could you collect less data, or provide individuals with an opt-out?
Example
A retailer wants to send offers by post to its customers. Its product order form contains the following statement:
‘We will send you information about our special offers to your billing address. If you don’t want to hear about our offers please tick here ☐ ’
The retailer balances the interests of its customers against its legitimate interests in sending postal marketing to existing customers to improve sales. Customers are likely to reasonably expect that they may receive some marketing material from the retailer as the retailer has provided a clear indication that this processing will occur. The impact on the individual is minimal. However by giving its customers a clear opportunity to opt out of this processing, the retailer has also put in a safeguard to ensure the individual retains control over their data and can easily exercise their right to object.
You may find that building in appropriate safeguards can change the balance and mean that the individual’s interests no longer override your interests. However you should be aware that safeguards do not always justify the processing.
Providing an opt-out to individuals as part of using legitimate interests should not be confused with using consent as your lawful basis. Failure to opt out does not demonstrate affirmative consent.
Further reading – ICO guidance
How do we decide the outcome?
You need to weigh up all the factors identified during your LIA for and against the processing, and decide whether you still think your interests should take priority over any risk to individuals. This is not a mathematical exercise and there is an element of subjectivity involved, but you should be as objective as possible.
You must be confident that you can show why the benefits of the processing justify any risks you have identified. The more significant the risks, the more compelling your justification must be.
Sometimes the outcome very obviously weighs in one direction in which case making the decision should be straightforward.
Example
A company is deciding whether to dismiss one of its employees for misconduct. The company decides that it needs advice about employment law and wants to send details of the employee’s alleged misconduct to its external legal advisors.
Purpose test: the company needs to be able to manage the performance of its workforce and ensure employees act appropriately. It also needs to ensure that any action it takes is in accordance with its employment law obligations. This is in the legitimate interest business interests of the company. It is also in the legitimate interests of employees that the company acts fairly and within the law in its dealings with employees.
Necessity test: it is necessary to obtain external legal expertise about the alleged misconduct and the relevant legal framework for this purpose. Only the personal data that is relevant to the allegations will be shared with its legal advisors, subject to professional confidentiality obligations.
Balancing test: the data concerns the individual’s professional life rather than private life. There is a clearly defined employer-employee relationship and employees would reasonably expect the company to process details of professional conduct to manage performance, and to seek legal advice when dealing with potential dismissals. Whilst the sharing of the data might contribute to significant harm to the individual if the advice supports dismissal, it should also help to ensure that the decision is not arbitrary or unlawful. The data is also shared subject to professional confidentiality obligations, which provides a safeguard against other risks or loss of control over the data.
The outcome for the company having considered all the relevant factors is that the employee’s interests do not outweigh its legitimate interests in obtaining legal advice, and processing is lawful on the basis of these legitimate interests.
In other cases you may find the outcome is harder to determine. If you are not sure, it may be safer to look for another lawful basis. Legitimate interests is not often the most appropriate basis for processing which is unexpected or high risk.
Further reading – ICO guidance
What happens next?
If you have conducted your LIA and decided to rely on legitimate interests as your lawful basis, you should not assume that this is where your responsibilities end.
Keep your LIA under regular review. If anything significant changes – such as the purpose, nature or context of the processing – that may affect the balance between you and the individual you should revisit your LIA and refresh it as appropriate.
For example if a new and unforeseen impact of your processing comes to light you need to revisit your LIA and the balancing test, and perhaps consider if any further safeguards are needed.
If your LIA concludes that the impact on individual overrides your legitimate interests, then you are not able to process the data for that particular purpose using the legitimate interest basis. You may be able to consider another lawful basis instead.
If it’s a borderline call and you’re not confident that your interests justify the impact on individuals, then you may also wish to look for other lawful basis. For example you may wish to consider if consent is appropriate, to give the individuals full control over the use of their data.
If your LIA identifies potential high risks to the rights and freedoms of the individual you need to go on to do a DPIA to assess the risks and potential safeguards in more detail.
Further reading – ICO guidance
How does this tie in to DPIAs?
There are similarities between an LIA and a DPIA. Both involve considering the purpose of the processing, identifying and assessing risk, and considering possible safeguards.
However an LIA is intended as a simpler form of risk assessment, to prompt you to properly identify your purpose and think about the impact on individuals. You need to do an LIA in any case where you are considering using the legitimate interests basis, whether or not there are any particular reasons for concern. There are no absolute requirements for content or process, as long as you are confident that your processing is justifiable.
By contrast, a DPIA is a much more in-depth end-to-end process, with more specific minimum requirements as to content and process. You only need to do a DPIA if you identify that the processing is of a type considered likely to result in high risk (see our DPIA screening checklist), but you need to do it irrespective of what lawful basis you are considering. If you cannot mitigate risks, you need to consult the ICO before you can start processing.
However, there is some overlap between the two and you should recognise this in your processes. In practice, it is sensible to incorporate the DPIA screening checklist for types of processing likely to result in high risk as part of your balancing test as a simple way of identifying risks to individuals.
An LIA is also a potential trigger for a DPIA. If your LIA identifies the potential for high risks to individuals’ rights and freedoms (either because of the severity or likelihood of the harm) then you are likely to need to carry out a DPIA.
You may be able to build on or adapt your LIA into your DPIA. If you have not yet carried out an LIA, there is no need to do both. You can use your DPIA instead of an LIA to demonstrate how legitimate interests applies, as it covers the same ground in more detail.
Further reading – ICO guidance