How to Conduct a GDPR Legitimate Interest Assessment
Keith Messer
Full Stack B2B Revenue & GTM Growth Leader | 2x SVP, Sales & Marketing | B2B SaaS, Software & Agency Exec | 2x Girl Dad
Likely the most cited pathway for utilizing data without explicit consent under the EU General Data Protection Regulation (GDPR) is Legitimate Interest, but how can an organization optimally ‘show their work’ when establishing their ability to utilize Legitimate Interest? Enter the Legitimate Interest Assessment (LIA). While the LIA is neither directly mentioned within the text of, nor obligated by, GDPR, it is emerging as an effective best practice to produce a documented audit trail that will prove useful should your organization ever be asked to produce justification for its usage of Legitimate Interest.
What Does GDPR Say About Legitimate Interest?
To quote the regulation in part: “Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
Important to emphasize is the word ‘necessary’ and the additional guidance for ‘careful assessment’ when applying legitimate interest as a legal basis for processing. Read Applying Legitimate Interest Under GDPR for more info on this specific topic.
Why Conduct a Legitimate Interest Assessment?
At this point every organization should understand the necessity to comply with GDPR, not only to avoid the crippling penalties to your organization should you run afoul of regulators, but as an opportunity to adopt more sustainable marketing and data management practices in general. That said, and this is recognized within the GDPR itself, the regulation was not meant to inhibit data processing and communications integral to the conducting of successful day-to-day commerce for individual businesses and, by extension, the prosperity of the EU and global economies as a whole. Hence the opportunity for the proper usage of options such as Legitimate Interest.
That said, the LIA is useful as a recorded manner by which an organization can demonstrate in principle that it has taken the necessary measures to establish a legal basis for processing in line with accountability obligations under Articles 5(2) and 24 of the General Data Protection Regulation.
When and How to Undertake the LIA
This should probably go without saying, but, since a lawful basis is required for processing of data under the GDPR, you should ideally conduct a LIA before processing data, rather than apply retroactively.
Now that we’ve got that cleared up, let’s move on to the ‘How’ of the Legitimate Interest Assessment…
While there is no defined process for conducting a LIA, there is some best practice consensus around the inclusion of the following three-part test:
Part One: Identification or Purpose Test – What is the legitimate interest?
Begin with documentation of reasons for ‘processing’ – we’ll put the word ‘processing’ in quotes given many intend to use LI as a means for unsolicited communication using PII also subject to GDPR – and cross-check against other legal basis to ensure usage of legitimate interest is appropriate.
Be sure to note if you are processing data for the purposes of network/informational/public security and/or fraud prevention, as these basis are specifically identified as legitimate interests within GDPR.
When undertaking the ID/Purpose Test, ask questions such as:
– Why is the data being ‘processed’?
– How do you benefit from the ‘processing’? Who else benefits (third-parties, the general public, etc.)?
– What is the importance of the aforementioned benefits and potential impact of not ‘processing’ data?
– What outcome is derived by the individuals whose data is being ‘processed’.
– Are you in compliance with other regulations, industry guidelines and/or established codes of conduct?
– Can any aspect of the ‘processing’ be deemed unethical?
Part Two: Necessity Test – Is the processing necessary?
Identify why the processing is actually necessary in order to accomplish the purpose laid out in the previous step. Consider and note alternate methodologies should they exist, as well as reasoning for utilizing one versus another (especially where methodology that could be deemed ‘less intrusive’ exists).
Ultimately, you should establish that the ‘purpose’ cannot be accomplished without ‘processing’ the data in the intended manner.
Part Three: Balancing Test – Are the individual’s rights properly considered?
The key question here is do any individual rights/freedoms supersede the legitimate interests you’ve identified as your legal basis for processing. This is where you should take specific note of the nature and source of the data being ‘processed’ as well as the potential impact the ‘processing’ of said data might have in the individual whom it concerns. The more ‘sensitive’ the data, the more the potential for red flags.
Finally, a good question to consider is whether or not an individual can/should reasonably expect that their data should/would be used in the manner you intend, and cite evidence for this where possible.
Summing Up the Legitimate Interest Assessment
It’s important when utilizing the LIA to not lose sight of the forest for the trees, i.e., you do not have to show that every individual about whom data is being used or processed (with or without their knowledge) would unilaterally consent if given the opportunity. Only that you have effectively weighed the necessity of processing against the potential harm to the average individual, whether social, economic or otherwise, and duly derived a legal basis for using legitimate interest within this exercise.
While this is an objective exercise, there’s no mathematical score that must be arrived upon, you (and your legal team) should emerge with a high degree of confidence that legitimate interest is being properly applied and the documentation derived from the LIA is sufficient to support this decision.
Lastly, the Legitimate Interest Assessment should exist as a living document. It should be regularly reevaluated and, where material changes are made to data management, communication, or other processing practices, the LIA should be undertaken anew to the extent necessary to reestablish the legal basis under legitimate interest.
Need more LIA Help? The ICO produced a handy Legitimate Interest Assessment Template to help you get started.