The Legitimate Interest Impact Assessment is used to determine if an organisation can process data using the legitimate interest lawful basis. This article explains what lawful bases are under GDPR, and how to complete a legitimate interest assessment (LIA).
6 lawful bases for processing personal data
Using personal data of any kind requires a lawful basis. GDPR outlines six lawful bases for processing personal data:
- Consent: The individual gives you permission to use their data in a certain way, e.g. sending marketing emails.
- Contract: The personal data is necessary to execute a contract with, or on behalf of, the individual, e.g. your utility company needing your address to provide a service.
- Legal obligation: Processing personal data is necessary to meet a data controller’s legal obligation, e.g. banks processing data to prevent fraud.
- Vital interest: Personal data is necessary to protect the individual (data subject) or another person’s life, e.g. medical records.
- Public task: Personal data is necessary for a task carried out in the public interest or under the duty of a public authority.
- Legitimate Interest: Individuals expect you to use their data in a certain way to benefit them, and the risk to their privacy is minimal, e.g. direct marketing.
If the lawful basis for processing personal data is a legitimate interest, this must be shown by conducting a legitimate interest assessment (LIA).
How to complete an LIA
The primary aim of the LIA requirement is to give organisations pause to consider if the impact of data processing on the individual. The LIA must be maintained for record-keeping purposes.
The Information Commissioner’s Office (ICO) recommends a three-part test to determine if legitimate interest applies:
- Purpose: does legitimate interest on behalf of the individual exist?
- Necessity: is the processing necessary for that purpose?
- Balancing: do the individual’s interests override the legitimate interest?
While official GDPR legislation does not provide an official checklist, the ICO shares a helpful checklist on their website, which is reproduced below. The ICO has also made a template available via this link.
- Why do you want to process the data – what are you trying to achieve?
- Who benefits from the processing? In what way?
- Are there any wider public benefits to the processing?
- How important are those benefits?
- What would the impact be if you couldn’t go ahead?
- Would your use of the data be unethical or unlawful in any way?
- Does this processing actually help to further that interest?
- Is it a reasonable way to go about it?
- Is there another less intrusive way to achieve the same result?
- What is the nature of your relationship with the individual?
- Is any of the data sensitive or private?
- Would people expect you to use their data in this way?
- Are you happy to explain it to them?
- Are some people likely to object or find it intrusive?
- What is the potential impact on the individual?
- How big an impact might it have on them?
- Are you processing children’s data?
- Are any of the individuals vulnerable in any other way?
- Can you adopt any safeguards to minimise the impact?
- Can you offer an opt-out?
At Formiti, we help you achieve frictionless compliance with GDPR and other international laws. This includes a detailed global gap analysis, helping you identify areas where you can streamline your data protection efforts, saving you time and money in the process.
Call +44 (0) 121 582 0192 or email [email protected] to learn more about how we can help you.