Lawfulness of processing is one of the fundamental principles of the GDPR, which outlines six legal bases that data controllers may rely on to justify their data processing. Next to consent and fulfilment of contract, legitimate interest is most commonly found. Many organizations rely on it but are unaware that merely using this legal ground as an easy go-to solution is not enough. Relying on legitimate interest requires you to conduct a proper assessment that can be boiled down to three important steps that need to be documented.
Legitimate Interest Assessment, or LIA, is not a term that you will find directly in the GDPR. Nonetheless, the GDPR, in article 6 (1)(f), calls controllers to assess whether their legitimate interests override the interests or fundamental rights and freedoms of data subjects, before they can rely on legitimate interest as a legal basis for their processing activities.
What is a legitimate interest assessment?
LIA is a light-touch risk assessment and a legal requirement whenever you rely on legitimate interest as a legal basis for your processing activities. It is a balancing test that supports the lawfulness of your processing activities and helps you demonstrate accountability as it proves that you have done all your spadework to determine the most appropriate legal basis.
How do you carry out a legitimate interest assessment?
The GDPR does not specify how to carry out a LIA, but from the wording of article 6 (1)(f) we can understand that you need to carry out a 3-step test:
1. The purpose test
The first step to take is assessing if your purpose of the processing is aligned with the legitimate interest you are trying to pursue. You need to identify and document the purpose for processing the personal data and your legitimate interest, identify who is benefiting from the processing and pinpoint what will be the consequences if you don’t proceed with the processing at hand.
2. The necessity test
In the second step, you need to assess whether the specific processing that is based on legitimate interest is actually necessary to achieve your purpose. There might be other ways to achieve the same purpose that are considered less intrusive to the rights and freedoms of data subjects. Therefore you need to be able to justify your decision and demonstrate that there is no other way that the purpose could be achieved by processing less personal data for example.
3. The balancing test
In the third and final step, you need to assess whether your legitimate interest outweighs the data subjects’ rights and freedoms. If that’s the case, you can’t rely on legitimate interest. Here you need to consider the nature of the personal data you are processing, the expectations of data subjects as well as the impact to them, among others. There can be cases where the impact might be considered high, so the requirement to carry out a Data Protection Impact Assessment will be triggered.
There are no specific rules on the form of the LIA or its size, so you can either create your own template, have a look at the templates created by the supervisory authorities or use the one DPOrganizer has created for you.
Since you are required to choose the appropriate legal basis before you start processing any personal data, the same goes for carrying out the LIA; once you consider that legitimate interest is the appropriate legal basis, carry out the LIA and depending on the outcome you can start processing personal data to achieve your specific purpose.