Professional Documents
Culture Documents
assessments
7 min read
Last reviewed or updated 05/05/2022
When organisations process personal data, they need to comply with relevant data protection
laws, including having a lawful basis for processing, such as legitimate interest. To rely on
the legitimate interest ground, a legitimate interest assessment needs to be carried out. Read
this guide to find out more.
When determining whether the processing overrides the fundamental interest, rights and
freedoms of data subjects, organisations should focus on the potential impact on data
subjects, including physical, financial or any other impacts (eg social disadvantages).
Reasonable expectations
Organisations should consider what data subjects will reasonably expect them to use their
personal data in this way, considering all relevant factors, including:
if there is an existing relationship with the data subject (legitimate interests is
more likely to apply where there is a ‘relevant and appropriate relationship’, for
example, because the data subject is a client or employee. If there isn’t a pre-existing
relationship, it can be harder to demonstrate that the processing can be reasonably
expected)
how the data subject’s data has been used in the past (if data has been used in a
similar or the same way, the processing is more likely to be reasonably expected)
whether the data was collected directly from the data subject and, if so, what
they were told at the time (eg information may have been provided in a privacy
notice)
whether the data was obtained from a third party (eg which collects data via a
mobile application and uploads it to its servers) and, if so, what they told the
data subjects about the reuse of the data by others (depending on what data
subjects were told, they may be less likely to reasonably expect this type of further
processing)
when the data was collected and if there have been any changes (eg to technology
or other context) that may affect current expectations
if the organisations intended purpose is obvious or widely understood (the more
obvious/widely understood the intended purpose, the more likely that the processing
is reasonably expected)
if the organisation is planning to do something new or innovative (new or
innovative use of personal data may be less reasonably expected)
if actual evidence about expectations exists (eg from market research or studies)
any fact-specific factors that indicate that data subjects may or may not
reasonably expect the processing
Organisations do not have to show that every individual would expect their data to be used
in this way, but that a reasonable person would expect their data to be used in this way in
light of the specific circumstances.
Organisations may consider carrying out consultations, focus groups or market research if the
processing’s purpose and method are not immediately obvious, and people may have a range
of reasonable expectations regarding the processing. This will help demonstrate expectations
and support the organisation’s position. Organisations may, as part of their determination,
also wish to rely on any pre-existing studies regarding reasonable expectations in such a
context.
Safeguards
Organisations need to consider the potential impact on data subjects and any damages the
processing may cause. As a first step, organisations should consider if the processing is
inherently likely to result in a high risk to individuals’ rights and freedoms (eg processing
of biometric data like fingerprint data/facial images). If this is the case, a Data protection
impact assessment (DPIA) will need to be carried out. For more information on this,
read Data protection impact assessments. Consider following the ICO’s DPIA screening
checklist to determine whether a DPIA is needed.
If the processing is not likely to result in a high risk, a risk assessment will still need to be
carried out to consider whether the processing may cause any harm to the data subject’s
interests, rights and freedoms. Organisations should consider whether the data processing
could contribute to:
the inability to exercise rights (eg privacy rights)
the inability to access services/opportunities
the loss of control over the use of personal data
discrimination
identity theft/fraud
financial or physical harm
any other significant economic or social disadvantage (eg discrimination, loss of
confidentiality or reputational damage)
Both the likelihood and severity of any possible harm should be considered.
The likelihood of possible harm can be remote (possible that it may occur but not
likely), possible (it may happen or reoccur on a semi-regular basis) or probable (reoccurring
on a regular basis).
The severity of the possible harm can be:
minimal - involving short-term minimal embarrassment to an individual, small
amounts of personal data of the data subject and minimal disruption or inconvenience
in the service delivery to the individual
significant - involving significant amounts of personal data being transferred outside
of the organisation, leading to significant actual or potential detriment including
emotional distress, as well as both physical and financial damage and/or safeguarding
concerns
severe - involving significant amounts of personal data being transferred outside of
the organisation leading to a proven detriment and/or high risk safeguarding concerns.
Data subjects may encounter significant/ irreversible consequences that they may not
overcome (eg financial jeopardy)
If a potential for a high risk is identified (due to a chance of severe harm or a probable
likelihood of harm), the organisation will need a compelling legitimate interest to satisfy
the balancing test (ie it will need to demonstrate that its legitimate interests can override a
serious impact). Where a high risk is identified, a DPIA must be completed. Where there is a
lower risk of harm, this needs to be weighed against the potential benefits of the processing.
Organisations should consider if any safeguards (eg collecting less data or providing an opt-
out) could be implemented to reduce the risk. Implementing such safeguards may result in the
data subject’s interests no longer overriding the organisation’s interests while bearing in mind
that safeguards don’t necessarily justify the processing.
For more information and a worked example, read the ICO’s guidance.
Deciding on an outcome
Organisations will need to consider and weigh up all factors (for and against the processing)
identified in the LIA. They will then need to decide if their interests still take priority over the
risks to any individuals. This is not a mathematical exercise and there is an element of
subjectivity involved, but organisations should be as objective as possible. Organisations
must be confident that they can demonstrate that the benefit of processing justifies any risks
they have identified. Where the risks are more significant or serious, a more compelling
justification will be needed.
If it is very difficult to determine an outcome, and an organisation isn’t sure how best to
proceed, finding another lawful basis for processing may be safest. This is because legitimate
interest is not the most appropriate ground for any unexpected or high-risk processing.
For a worked example, read the ICO’s guidance.
What happens after an LIA is completed?
Where an LIA has been completed, and the processing takes place on the ground of
legitimate interest, the LIA must be kept under regular review. An LIA may need to be
repeated if there are any significant changes (eg to the nature, scope, context or purposes of
the data processing) that may affect the balance between the organisation’s interest and the
risks to the individual.