Skip to main content
Home

How do we apply legitimate interests in practice?

Contents

In detail

What do we need to do in practice?

To demonstrate that legitimate interests applies, you must do the three-part test. You should document the outcome. We refer to documenting the outcome as a ‘legitimate interests assessment’ or LIA (although the UK GDPR doesn’t use this terminology).

An LIA is a type of light-touch risk assessment. It is based on the specific context and circumstances of what you want to do with the personal information.

You should record your LIA and the outcome. There’s no specific requirement in the UK GDPR for you to do this. However, you must ensure that you’re accountable. This means that you should keep an audit trail of your decisions and justification for relying on legitimate interests.

There’s no standardised approach to an LIA. Sometimes your LIA might be quite short, but in other situations, it may be much more detailed. It may also indicate that you need to do a DPIA.

Other resources

Sample LIA template (Word)

Why are LIAs important?

The UK GDPR doesn’t require you to do an LIA. But you should do one anyway.

LIAs encourage and help you to:

  • ask yourself the right questions about how you want to use personal information;
  • consider people’s reasonable expectations objectively; and
  • think clearly and sensibly about what you want to do and the impact it may have on people.

This is also relevant for your other obligations, such as the accountability principle and data protection by design. For example, documenting your LIA helps you demonstrate your compliance with the data protection principles.

Further reading – ICO guidance

Accountability and governance

Data protection by design and by default

What’s the process for an LIA?

There’s no defined process for an LIA. But as you must do the three-part test for legitimate interests to apply, you should approach an LIA by using the test as a basis:

(1) The purpose test (identify the legitimate interest).

(2) The necessity test (consider if your use of the personal information is necessary).

(3) The balancing test (consider the person’s interests).

The LIA doesn’t have to take any particular form, although you could use our sample LIA template, if you find it helpful. However, you must address each part of the three-part test. You should record the outcome, including all the relevant factors, whether or not they support your conclusion. This shows you have taken everything into account before making your decision.

You should do your LIA before you start using the personal information. This is because your LIA helps you decide if the legitimate interest basis applies. Remember, you must have a valid, lawful basis before you start using personal information.

(1) How do we do the purpose test?

You must:

  • identify your purpose; and
  • decide whether it counts as a legitimate interest.

Be as specific as possible, as this helps you with the necessity and balancing tests.

You should ask the following questions:

  • Why do you want to use the personal information?
  • What benefit do you expect to get from that use?
  • Do any third parties benefit from the processing?
  • Are there any wider public benefits to the processing?
  • How important are those benefits?
  • What would the impact be if you couldn’t go ahead?
  • What is the intended outcome for people?
  • Are you complying with other relevant laws?
  • Are you complying with industry guidelines or codes of practice?
  • Are there any ethical issues with the processing?

You should also check whether you intend to use personal information for purposes covered by the separate recognised legitimate interest basis. You may find that basis more appropriate.

The UK GDPR mentions the following as potential legitimate interests:

  • "intra-group transmissions" for internal administration:
  • direct marketing; and
  • security of network and information systems.

But this only gives you a possible answer to the purpose test. You must not assume that the purpose is sufficient to rely on legitimate interests. You must do the other parts of the test, and you should still do an LIA. (For more information, see the section on When can we rely on legitimate interests?.)

Example

Lenders share personal information with credit reference agencies (CRAs) about a person’s payments on an account. The CRAs then share that information with any other lender the person makes an application to. This allows other lenders to assess the person’s ability and willingness to repay a loan.

The intended outcome for the person is that they will either be granted or refused credit based on their ability and willingness to repay.

The lender considers whether there is a legitimate interest in sharing personal information for this purpose:

  • The lender wants to accurately assess the likelihood that they will get back the money they lend because this will:
    • minimise the risk of bad debts; and
    • ensure the lender makes sustainable lending decisions to achieve a reasonable overall rate of return.
  • It’s in the interests of the person making the application for lenders to make responsible lending decisions. This is so that lenders don’t allow the person to become burdened with debt they can’t afford.
  • It’s also in the public’s interests that lenders can make accurate risk assessments when making lending decisions. Without this, lenders may be less willing to lend overall, or to lend at a reasonable interest rate.
  • The lender will also comply with relevant consumer credit laws and standards.

The lender considers that these benefits are vital to the proper functioning of the credit system.

The lender has demonstrated a clear and specific legitimate interest. They have a good foundation for demonstrating necessity and objectively considering the balance of interests.

(2) How do we do the necessity test?

You must consider carefully whether your use of the personal information is actually necessary for the purpose you identify in step one.

You should ask the following questions:

  • Will what you want to do with the information actually help you achieve your purpose?
  • Is what you want to do proportionate to achieve that purpose, or is it excessive?
  • Can you achieve your purpose without using the personal information, or by using less information?
  • Can you achieve your purpose by using the information in another, more obvious or less intrusive way?

Be honest in your consideration of whether the processing is necessary. If there are potentially other less intrusive alternatives, you should be clear why these aren’t reasonable alternatives.

You may need to go back to step one if:

  • you find it difficult to explain how your use of the personal information helps achieve your purpose; or
  • the available alternative methods simply aren’t your chosen business model.

In either case, you may need to be more specific about your purpose. A clearly defined purpose is likely to make the necessity test easier.

(3) How do we do the balancing test?

You must consider the interests and fundamental rights and freedoms of the person and whether these override the legitimate interests you have identified.

There’s no exhaustive list of what to consider when conducting the balancing test, but you must include people’s reasonable expectations. You should also think about:

  • the nature of the personal information you want to use;
  • the likely impact of your use of the information on these people; and
  • any safeguards you can put in place to reduce negative impacts.

Nature of the information

You should think about the sensitivity of the personal information you plan to process. For example, you should ask the following questions:

  • Is it special category data?
  • Is it criminal offence data?
  • Is it another type of information that people are likely to consider particularly ‘private’ (eg financial information)?
  • Are you intending to use:
    • children’s information; or
    • information about other people who are at risk of harm?
  • Is it information about people in their personal or professional capacity?

The more sensitive or ‘private’ the information, the more likely that its use will be intrusive. It is also more likely to create significant risks to people’s rights and freedoms (eg by putting them at risk of unlawful discrimination). You should have a more compelling reason to use this type of information and take particular care to put adequate safeguards in place.

If what you want to do involves personal information that is considered less sensitive or private (such as information about people in their business capacity), the impact may be lower. However, you should still consider the likely impact.

Example

An employer asks their employees to provide emergency contact details of a family member or friend in case they have an accident or become seriously ill at work.

It’s not practical for the employer to have consent from the family or friends of all their employees to process their contact details for the purposes of being used in an emergency. So the employer considers whether the legitimate interests basis applies.

The employer notes that being able to contact an employee’s designated family member or friend in an emergency is a legitimate interest as a responsible employer. They also note that it is in the interests of the employee that a family member or friend knows about the emergency. It is also in the interests of the employee’s nominated person to be told.

The employer decides that asking employees to provide the personal information of other people is necessary for this purpose. They also decide that there is no other reasonable way of achieving the purpose.

The employer goes on to consider the balancing test. They take into account that the personal information they will be handling is not sensitive (names and contact details). They determine that the impact of holding these details in case of an emergency is minimal. The employer decides that:

  • only their HR department will have access to these contact details; and
  • they will ensure they can only use these details in an emergency.

They determine that the balance favours their legitimate interest in handling the personal information.

Reasonable expectations

You must consider whether people will reasonably expect you to use their information in this way in the particular circumstances. You should consider all relevant factors, including the following:

  • Do you have an existing relationship with that person? If so, what is the nature of that relationship?
  • How have you used their information in the past?
  • Did you collect the information directly from that person?
  • What did you tell them at the time?
  • If you obtained the information from another source, what did they tell people about the reuse of their information by third parties for other purposes?
  • How long ago was the information collected?
  • Are there any changes in technology or other contexts since that time that would affect current expectations?
  • Is what you want to do and how you want to do it obvious or widely understood?
  • Are you intending to do anything new or innovative?
  • Do you have any actual evidence about expectations (eg from market research, focus groups or other forms of consultation)?
  • Are there any other factors in the particular circumstances that mean the person would or would not expect the processing?

This is an objective test. You don’t have to show that every person does, in fact, expect you to use their information in this way. Instead, you should show that a reasonable person would expect the processing in the particular circumstances.

It may be that your purpose and method of using the information are not immediately obvious and people might reasonably disagree about whether they would expect this use of their information. In this case, you could:

  • carry out some form of consultation, focus group or market research with people to demonstrate expectations and support your position; or
  • draw on pre-existing studies about reasonable expectations in a particular context, as part of your determination of what people may or may not expect.

If you want to use children’s information, you must consider what the child might reasonably expect you to do with their information, in the context of your relationship with them. You must make sure that you adequately protect their interests.

Impact and safeguards

You should consider the potential impact on people and any harm that your use of their information may cause.

First, you must consider whether what you want to do with the information is likely to result in a high risk to people’s rights and freedoms. If so, you must do a DPIA. (See the section How does this tie in to DPIAs? for more information.)

However, regardless of whether your use of the information is likely to result in a high risk, you must still do the three-part test. This is a separate requirement. An LIA is a lighter-touch risk assessment to consider whether your use of the information might cause any harm to people’s interests, rights and freedoms, even if this isn’t a high risk.

When considering impacts and safeguards for your LIA, you should think about whether what you want to do might contribute to:

  • a barrier to people exercising their rights (including but not limited to privacy rights);
  • a barrier to people accessing services or opportunities;
  • any loss of control over the further use of personal information;
  • physical harm;
  • financial loss, identity theft or fraud; or
  • any other significant economic or social disadvantage (such as discrimination, loss of confidentiality or reputational damage).

You should look at both the likelihood and severity of any harm.

Remember, children’s information has an increased need for protection. They may not be able to understand:

  • the risks or consequences of what you want to do with their information; or
  • the safeguards that can protect against these risks.

As a result, the impact on them is likely to be different than for adults. It is also likely to be different depending on the age range of the children. When you consider impacts and safeguards, you must ensure that you are adequately protecting their interests, rights and freedoms.

If you identify the potential for a high risk to people, you must have a more compelling legitimate interest to satisfy the balancing test. This can be either a chance of severe harm or a high likelihood of harm. You must demonstrate that your legitimate interests can override a serious impact. This also triggers the need to do a DPIA to assess those risks in more detail (see the section on How does this tie in to DPIAs?).

If you identify some harm that is not high risk, you should weigh this against the potential benefits of what you want to do with the personal information. You could also consider whether there are any safeguards that you can put in place to reduce or mitigate this risk. For example, can you:

  • collect less personal information; or
  • provide people with an opt-out?

Example

A retailer wants to send offers by post to their customers. Their product order form contains the following statement:

"We will send you information about our special offers to your billing address. If you don’t want to hear about our offers, please tick here."

The retailer balances the interests of their customers against their legitimate interests in sending postal marketing to existing customers to improve sales.

The retailer has provided a clear indication of how they will use their customers’ information. Therefore, customers are likely to reasonably expect that they may receive some marketing material from the retailer.

The impact on people is minimal. However, by giving their customers a clear opportunity to opt out, the retailer has also put in a safeguard. This ensures people:

  • retain control over their information; and
  • can easily exercise their right to object.

You may find that building in appropriate safeguards can change the outcome of the balancing test so that the person’s interests no longer override your interests. However, be aware that safeguards don’t always justify what you want to do with the personal information.

Providing an opt-out to people as part of using legitimate interests doesn’t mean you can use consent as your lawful basis. Failure to opt out doesn’t demonstrate consent.

Further reading – ICO guidance

Data protection harms

Consent

How do we decide the outcome?

You should:

  • objectively weigh up all the factors identified during your LIA for and against the processing; and
  • decide whether you still think your interests take priority over any risk to people.

You should be confident that you can show how the benefits of your use of the personal information justify any risks you have identified. The more significant the risks, the more compelling the justification you should have.

Sometimes the outcome very obviously weighs in one direction, and in these cases, making the decision is likely to be straightforward.

Example

A company is deciding whether to dismiss one of their employees for misconduct. The company decides that they need advice about employment law. They want to send details of the employee’s alleged misconduct to their external legal advisors.

Purpose test: The company needs to be able to manage the performance of their workforce and ensure employees act appropriately. They also need to ensure that any action they take is in accordance with their employment law obligations. This is in the legitimate interest business interests of the company. It’s also in the legitimate interests of employees that the company acts fairly and within the law in their dealings with employees.

Necessity test: It is necessary to obtain external legal expertise about the alleged misconduct and the relevant legal framework for this purpose. The company will only share the personal information that is relevant to the allegations with their legal advisors, subject to professional confidentiality obligations.

Balancing test: The information concerns the employee’s professional life rather than their private life. There is a clearly defined employer-employee relationship. Employees would reasonably expect the company to:

  • process details of professional conduct to manage performance; and
  • seek legal advice when dealing with potential dismissals.

Sharing the information might contribute to significant harm to the employee if the advice supports dismissal. But it is also likely to help to ensure that the decision is not arbitrary or unlawful. The personal information is shared subject to professional confidentiality obligations. These provide a safeguard against other risks or loss of control over the information.

The outcome for the company, having considered all the relevant factors, is that the employee’s interests do not outweigh their legitimate interests in obtaining legal advice. The company relies on the legitimate interests lawful basis to use the personal information.

In other cases, you may find the outcome is harder to determine. If you’re not sure, it may be safer to look for another lawful basis. Legitimate interests is not often the most appropriate lawful basis for handling personal information in a way that is unexpected or high risk.

Further reading – ICO guidance

A guide to lawful basis

What happens next?

Once you’ve conducted your LIA and decided you can rely on legitimate interests, you should review the LIA regularly.

You must consider another lawful basis if your LIA indicates that the impact on people overrides your legitimate interests. The legitimate interests basis won’t apply.

You should consider whether another lawful basis applies if the decision is not obvious and you’re not confident that your interests justify the impact on people. For example, consent may be appropriate if you want to give people full control over the use of their information.

If your LIA identifies potential high risks to people’s rights and freedoms, you must do a DPIA to assess the risks and potential safeguards in more detail. (See the section How does this tie in to DPIAs? for more information.)

Refresh your LIA as appropriate (eg if anything significant changes, such as your purpose, nature or context). These changes may affect the balance between you and the person. If a new and unforeseen impact arises, you should revisit the balancing test and consider if you need any further safeguards.

Further reading – ICO guidance

Consent

How does this tie in to DPIAs?

There are similarities between an LIA and a DPIA. Both involve:

  • defining the purpose of the processing;
  • identifying and assessing risk; and
  • considering possible safeguards.

However, an LIA is intended as a simpler form of risk assessment. It prompts you to properly identify your purpose and think about the impact on people. You should do an LIA in any case where you are considering using the legitimate interests basis. This applies whether or not there are any particular reasons for concern.

There are no requirements for content or process with an LIA. But you should be confident that what you want to do with the personal information is justifiable (see the section What’s the process for an LIA?).

By contrast, a DPIA is a much more in-depth task. It covers the entire process from start to finish. It has specific minimum requirements for content and process. Remember, you must do a DPIA if the use of personal information is likely to result in high risk. This applies regardless of which lawful basis may apply. And if you can’t mitigate these risks to an acceptable level, you must consult us before you start using the personal information.

However, there is some overlap between an LIA and a DPIA, and you should recognise this in your processes. In practice, it’s sensible to incorporate our DPIA screening checklist (see further reading box below). This is for types of processing likely to result in high risk as part of your balancing test, as a simple way of identifying risks to people.

An LIA is also a potential trigger for a DPIA. If your LIA identifies the potential for high risks to people’s rights and freedoms, you’re likely to need to do a DPIA. This might be either because of the severity or the likelihood of the harm.

You could build on or adapt your LIA into your DPIA. If you’ve not yet carried out an LIA, there’s no need to do both. You could use your DPIA instead of an LIA to demonstrate how legitimate interests applies, as it covers the same information in more detail.

Further reading – ICO guidance

Our guidance on Data protection impact assessments contains a DPIA screening checklist to help you identify whether what you want to do is likely to result in high risk.