Legitimate Interest Assessments
There are 6 “lawful Basis of Processing” under the GDPR that simply asks any organization collecting, using, storing, sharing or deleting personal information to select a lawful basis before doing so. The GDPR states:
“Processing shall be lawful only if and to the extent that at least one of the following applies:
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.”
8 years into the GDPR enforcement, Legitimate Interest is the primary lawful basis chosen by most organizations. It is not, however, always the best choice.
‘Legitimate interests’ covers a wide range of interests, whether of the company, third parties, commercial or for wider societal reasons.
GDPR says that examples of legitimate interests include (but are not restricted to):
-
- Use of client or employee data
- Marketing
- Fraud prevention
- Intra-group transfers
- IT security
These three questions can help determine legitimate interests for data collection and use:
- Purpose: why do you want the data?
- Necessity: is the data processing necessary for the primary purpose?
- Balancing: do the individual’s interests outweigh the legitimate interest?
The data processing must be targeted and a balanced way of achieving the overall purpose. Legitimate interests can’t be relied on as the legal reason for data processing if there is another less intrusive way to achieve the same end.
Before you begin data processing, you must carry out an LIA risk assessment based on the specific purpose for the data. This will help to determine the lawfulness of the data processing.
Record the LIA under the accountability obligation that can be found in Articles 5(2) and 24 in the GDPR document.
To identify the legitimate interest, ask the following:
-
- What is the overall goal for the data processing?
- Who will benefit from the data processing and how?
- What are the wider public benefits of the data processing?
- Is there any way your use of the data could be unethical or unlawful?
To decide whether it’s necessary, ask:
-
- Will this data processing actively further the overall interest?
- Is this a reasonable way to reach the goal?
- Could there be a less intrusive way to get the same result?
To decide whether it’s properly balanced for users, ask:
-
- What is the relationship between the company and the user?
- Is any of the data considered sensitive or special?
- Would the user reasonably expect you to use their data in this way?
- Could some users object and say it’s too intrusive?
- How will the data processing impact the individual?
- What safeguards can you put in place to minimize the impact?
From this you can make a decision about whether legitimate interests is an appropriate lawful decision or whether you should find a more appropriate basis.
