A Legitimate Interest Assessment (LIA) a risk assessment specifically designed to determine the context and purpose of processing against legitimate interests. It aims to identify the benefits to all parties in processing personal data and provides justification for decisions made by Data Controllers in processing such data.
Under Article 6 of the General Data Protection Regulations (GDPR), organizations are required to establish a lawful basis for processing personal data.
Organisations must only process personal data if it falls under one of the six defined basis:
- Explicit Consent
- Contractual Obligations
- Legal Obligations
- Vital Interests
- Public Tasks
- Legitimate Interest
Most purposes defined above are self-explanatory and can be easily determined on a case-by-case basis, but how does an organisation effectively determine whether the processing of personal data may be relied upon under Legitimate Interests?
What is Legitimate Interest?
The GDPR defines the purpose of Legitimate Interest in cases where “the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.”
Let us take a simple and common example: Let’s assume John Smith is applying for a job at Company X. We can determine that by applying for the position and submitting his personal details, John has declared his interest in assuming the vacant position. On this basis, Company X has a legitimate interest in processing the personal data received to evaluate the applicant against the requirements of the role, benefitting both the Data Subject and the Organization.
However, some cases may not be so obvious, and require further analysis to determine whether the processing of Personal Data in such a way can be assumed based on Legitimate Interest. Consider the implementation of CCTV monitoring and network security monitoring for both physical and logical security measures respectively. In such cases, the benefits of processing for both the organization and Data Subjects need to be assessed and balanced against each other to form a lawful basis for the use of Legitimate Interest.
Using Legitimate Interest Assessments (LIAs) to determine whether Legitimate Interest can be used as a Purpose of Processing Personal Data
An LIA is a risk assessment specifically designed to determine the context and purpose of processing against legitimate interests. It aims to identify the benefits to all parties in processing personal data and provides justification for decisions made by Data Controllers in processing such data.
Whilst not compulsory under the GDPR, it is considered best practice for organizations to exhibit their consideration of all factors, risks, and benefits to all parties, and provide an audit trail for decisions made on this basis.
There is no standard and/or fixed approach to an LIA, therefore assessments may vary according to the type of processing and may be shorter or longer than one another based on various considerations, and may include the determination for the need of a Data Processing Impact Assessment (DPIA) when high-risk processing is involved.
What Organizations Must Do & How BDO can help you be compliant with GDPR
When establishing or modifying processes which involve personal data under legitimate interests, organizations should follow a defined best-practice approach to assessing the suitability of processing under such purpose and show structured considerations on how this might affect the company and Data Subjects.
BDO has established a concise and pragmatic LIA methodology based on a three part test which ensures a simple yet comprehensive approach to an LIA, allowing organizations to clearly define privacy risks.
Furthermore, BDO’s in-house privacy professionals have a wealth of knowledge and practical experience within the various sectors, and are capable of performing an exhaustive LIA though a streamlined approach.
Download GDPR Brochure
Fill out the form below to get in touch with our Technology Advisory team: