Legitimate interest

assessments
7 min read
Last reviewed or updated 05/05/2022

What you'll learn:

 What is legitimate interest?

 When can legitimate interest be relied on?
 What is a legitimate interest assessment?
 What does an LIA cover?
 The purpose test
 The necessity test
 The balancing test
 Deciding on an outcome
 What happens after an LIA is completed?
 How are LIAs and DPIAs connected?

When organisations process personal data, they need to comply with relevant data protection
laws, including having a lawful basis for processing, such as legitimate interest. To rely on
the legitimate interest ground, a legitimate interest assessment needs to be carried out. Read
this guide to find out more.

Make your Legitimate interest assessment (LIA)

Get started

What is legitimate interest?

Legitimate interest is one of the six lawful grounds for the processing (eg obtaining or
recording) of personal data (eg names, addresses and information about racial or ethnic
origin). An organisation can rely on the legitimate interest ground where the processing
is necessary for the legitimate interest of the organisation (also known as the ‘data
controller’) or a third party, as long as the processing does not override the fundamental
interest, rights and freedoms of the data subject (ie the individual the data relates to).
Legitimate interests can include commercial interests, individual interests or broader societal
benefits. For example, data processing may be in the legitimate interest of an organisation for
network and information security or the prevention of fraud. Read Processing personal
data for more information.
Being ‘necessary’

Being ‘necessary’ means that the processing must be carried out in

a targeted and proportionate way. If there is another reasonable and less intrusive way of
achieving the same result, the legitimate interest ground will not be appropriate.

Fundamental interest, rights and freedoms

When determining whether the processing overrides the fundamental interest, rights and
freedoms of data subjects, organisations should focus on the potential impact on data
subjects, including physical, financial or any other impacts (eg social disadvantages).

When can legitimate interest be relied on?

While the legitimate interest ground is the most flexible lawful basis for processing, it won’t
always be the most appropriate. Generally, legitimate interest is likely to be most appropriate
when:
 the processing, while not required by law, is of clear benefit to the organisation or
others
 the processing has a limited privacy impact on the data subject
 the personal data is being used in a way that the data subject would reasonably expect,
and
 the organisation cannot (or does not want to) give the data subject full upfront control
(ie consent) or bother them with disruptive consent requests when they are unlikely to
object to the processing
Organisations may also be able to rely on the legitimate interests ground if they have
a compelling reason for the processing. This is especially the case where the data processing
is more intrusive. However, organisations will have to be able to justify the impact on data
subjects.
While the legitimate interest ground can be relied on when children’s data is being processed,
organisations will need to take extra care to ensure that their interests are protected. For more
information, see the Information Commissioner’s Office (ICO) guidance.
Organisations should generally avoid relying on legitimate interest if they are using personal
data in a way that data subjects would not understand and not reasonably expect, or if data
subjects would object to the processing if it was explained to them. Processing on the
legitimate interest ground should also be avoided where the processing could cause
harm unless a compelling reason which justified the impact exists.
Public authorities cannot rely on the legitimate interest for any processing in connection with
the performance of their tasks as a public authority.
For more information, see the ICO’s guidance.
What is a legitimate interest assessment?
Whenever an organisation wishes to process personal data in reliance on the legitimate
interest ground, it will need to carry out a Legitimate interest assessment (LIA). An LIA is
used to identify:
 what that legitimate interest of the processing is
 the benefits of processing the personal data in that way
 if such processing is necessary
Where personal data is to be processed on the ground of legitimate interest, an LIA needs to
be carried out before any data is processed.

What does an LIA cover?

While there is no set process for LIAs, they generally follow a three-part test:
 the purpose test - identifying the legitimate interest
 the necessity test - considering whether the processing is necessary
 the balancing test - considering individuals’ interests and balancing them against the
organisation’s interest

The purpose test

This involves organisations identifying their purpose for processing and deciding whether it
counts as a legitimate interest. Organisations should consider:
 why they want to process the data
 what benefits are expected from the processing (including benefits for the
organisation, any third parties and the wider public) and how important those benefits
are
 the impact if the processing couldn’t go-ahead
 the intended outcome for individuals
 whether any specific data protection rules (eg profiling requirements) and other
relevant laws (eg specific e-privacy legislation) are complied with
 whether industry guidelines and/or codes of practice are complied with
 if any ethical issues exist in relation to the processing
If data is processed for any of the following purposes, the UK General Data Protection
Regulations (GDPR) sets out that a legitimate interest exists:
  the prevention of fraud (provided that it is strictly necessary)
 network and information security (provided that it is strictly necessary)
 indicating possible criminal acts or threats to public security
Under the GDPR the legitimate interest ground will further likely apply:
 if the organisation is processing employee or client data
 for direct marketing purposes
 for intra-group administrative transfers
Where possible, the purpose should be as specific as possible. Having a clearly defined
purpose will make carrying out the rest of the assessment (and especially the necessity test)
easier. For more information and a worked example, read the ICO’s guidance.
If the purpose test cannot be met, an organisation cannot rely on legitimate interests as a
lawful basis for processing.

The necessity test

This involves considering if the processing is actually necessary for the specific purpose
identified in the purpose test. Organisations should consider if:
 the processing will actually help them achieve their purpose
 the processing is proportionate to that purpose
 the purpose could be achieved without processing the data (or by processing less data)
 the purpose could be achieved by processing in another less intrusive or more obvious
way
If other less intrusive alternatives to processing the data exist, the LIA needs to clearly set out
why these are not reasonable alternatives.
If, while completing an LIA, it becomes difficult to explain how the processing helps achieve
the specified purpose, or if many alternative methods exist which aren’t the organisation’s
chosen business model, the purpose may need to be further specified.
For more information and a worked example, read the ICO’s guidance.

The balancing test

This involves the organisation considering the interests, fundamental rights and freedoms of
the data subject and balancing them against their own interest. In other words, the
organisation needs to determine whether data subject rights override the legitimate interests it
has identified. This will involve considering:
  the nature of the personal data to be processed
 the reasonable expectations of the data subject
 the likely impact of the processing on the data subject and if any safeguards can be
implemented to reduce any negative impacts

Nature of the data

Organisations should consider the sensitivity of the personal data, specifically:

 if the personal data is special category sensitive personal data (eg information about
physical/mental health) or criminal offence data (eg information about criminal
activity) - which are awarded greater protection under the law
 if the data is likely to be considered particularly private (eg financial data)
 if the personal data relates to children or other vulnerable individuals
 if the data is about people in their personal or professional capacity
The more sensitive (or private) personal data is, the more likely it is that the processing will
be intrusive or create a significant risk to the data subject’s rights and freedoms (eg putting
someone at risk of unlawful discrimination). Where this is the case, organisations will need to
have a compelling justification for using the data and will need to take special care to have
adequate safeguards in place.
If the personal data is considered less sensitive or private (eg because it concerns data
subjects in their work capacity) then the impact may be less. However, organisations will still
need to consider its likely impact.

Reasonable expectations

Organisations should consider what data subjects will reasonably expect them to use their
personal data in this way, considering all relevant factors, including:
 if there is an existing relationship with the data subject (legitimate interests is
more likely to apply where there is a ‘relevant and appropriate relationship’, for
example, because the data subject is a client or employee. If there isn’t a pre-existing
relationship, it can be harder to demonstrate that the processing can be reasonably
expected)
 how the data subject’s data has been used in the past (if data has been used in a
similar or the same way, the processing is more likely to be reasonably expected)
 whether the data was collected directly from the data subject and, if so, what
they were told at the time (eg information may have been provided in a privacy
notice)
 whether the data was obtained from a third party (eg which collects data via a
mobile application and uploads it to its servers) and, if so, what they told the
data subjects about the reuse of the data by others (depending on what data
subjects were told, they may be less likely to reasonably expect this type of further
processing)
  when the data was collected and if there have been any changes (eg to technology
or other context) that may affect current expectations
 if the organisations intended purpose is obvious or widely understood (the more
obvious/widely understood the intended purpose, the more likely that the processing
is reasonably expected)
 if the organisation is planning to do something new or innovative (new or
innovative use of personal data may be less reasonably expected)
 if actual evidence about expectations exists (eg from market research or studies)
 any fact-specific factors that indicate that data subjects may or may not
reasonably expect the processing
Organisations do not have to show that every individual would expect their data to be used
in this way, but that a reasonable person would expect their data to be used in this way in
light of the specific circumstances.
Organisations may consider carrying out consultations, focus groups or market research if the
processing’s purpose and method are not immediately obvious, and people may have a range
of reasonable expectations regarding the processing. This will help demonstrate expectations
and support the organisation’s position. Organisations may, as part of their determination,
also wish to rely on any pre-existing studies regarding reasonable expectations in such a
context.

Safeguards

Organisations need to consider the potential impact on data subjects and any damages the
processing may cause. As a first step, organisations should consider if the processing is
inherently likely to result in a high risk to individuals’ rights and freedoms (eg processing
of biometric data like fingerprint data/facial images). If this is the case, a Data protection
impact assessment (DPIA) will need to be carried out. For more information on this,
read Data protection impact assessments. Consider following the ICO’s DPIA screening
checklist to determine whether a DPIA is needed.
If the processing is not likely to result in a high risk, a risk assessment will still need to be
carried out to consider whether the processing may cause any harm to the data subject’s
interests, rights and freedoms. Organisations should consider whether the data processing
could contribute to:
 the inability to exercise rights (eg privacy rights)
 the inability to access services/opportunities
 the loss of control over the use of personal data
 discrimination
 identity theft/fraud
 financial or physical harm
 any other significant economic or social disadvantage (eg discrimination, loss of
confidentiality or reputational damage)
Both the likelihood and severity of any possible harm should be considered.
The likelihood of possible harm can be remote (possible that it may occur but not
likely), possible (it may happen or reoccur on a semi-regular basis) or probable (reoccurring
on a regular basis).
The severity of the possible harm can be:
 minimal - involving short-term minimal embarrassment to an individual, small
amounts of personal data of the data subject and minimal disruption or inconvenience
in the service delivery to the individual
 significant - involving significant amounts of personal data being transferred outside
of the organisation, leading to significant actual or potential detriment including
emotional distress, as well as both physical and financial damage and/or safeguarding
concerns
 severe - involving significant amounts of personal data being transferred outside of
the organisation leading to a proven detriment and/or high risk safeguarding concerns.
Data subjects may encounter significant/ irreversible consequences that they may not
overcome (eg financial jeopardy)
If a potential for a high risk is identified (due to a chance of severe harm or a probable
likelihood of harm), the organisation will need a compelling legitimate interest to satisfy
the balancing test (ie it will need to demonstrate that its legitimate interests can override a
serious impact). Where a high risk is identified, a DPIA must be completed. Where there is a
lower risk of harm, this needs to be weighed against the potential benefits of the processing.
Organisations should consider if any safeguards (eg collecting less data or providing an opt-
out) could be implemented to reduce the risk. Implementing such safeguards may result in the
data subject’s interests no longer overriding the organisation’s interests while bearing in mind
that safeguards don’t necessarily justify the processing.
For more information and a worked example, read the ICO’s guidance.

Deciding on an outcome
Organisations will need to consider and weigh up all factors (for and against the processing)
identified in the LIA. They will then need to decide if their interests still take priority over the
risks to any individuals. This is not a mathematical exercise and there is an element of
subjectivity involved, but organisations should be as objective as possible. Organisations
must be confident that they can demonstrate that the benefit of processing justifies any risks
they have identified. Where the risks are more significant or serious, a more compelling
justification will be needed.
If it is very difficult to determine an outcome, and an organisation isn’t sure how best to
proceed, finding another lawful basis for processing may be safest. This is because legitimate
interest is not the most appropriate ground for any unexpected or high-risk processing.
For a worked example, read the ICO’s guidance.
What happens after an LIA is completed?
Where an LIA has been completed, and the processing takes place on the ground of
legitimate interest, the LIA must be kept under regular review. An LIA may need to be
repeated if there are any significant changes (eg to the nature, scope, context or purposes of
the data processing) that may affect the balance between the organisation’s interest and the
risks to the individual.

How are LIAs and DPIAs connected?

While similarities between LIAs and DPIAs exist, an LIA is a simpler form of risk
assessment designed for organisations to properly identify their purpose and consider its
impact on individuals. An LIA is needed whenever data is to be processed on the legitimate
interest ground, and there are requirements to detail content or process provided that the
processing is justifiable. On the other hand, a DPIA is a more in-depth process, with specific
requirements regarding content and process. DPIAs are required, irrespective of the lawful
basis for processing, whenever the potential processing is likely to result in high risk.
However, organisations should be aware that there is some overlap between LIAs and DPIAs.
It is sensible to incorporate the DPIA screening checklist into the balancing test if data that
is likely to result in high risk is being processed. This may help identify potential risks to
individuals.
Further, LIAs may act as a trigger for DPIAs, where an LIA identifies the potential for high
risks to individuals’ rights and freedoms. Where this is the case, a DPIA must be carried out.
It’s important to note that organisations don’t necessarily have to carry out an LIA in addition
to a DPIA. As a DPIA covers the same grounds as an LIA, but in greater detail, a DPIA can
be used instead of an LIA to demonstrate precisely how the legitimate interest ground
applies.
For more information on DPIAs, read Data protection impact assessments and Ask a
lawyer if you have any questions or require assistance.