A Legitimate Interest Assessment, or ‘LIA’, is a tool used by businesses to help them comply with data protection laws. Put simply, it is a way of ensuring that the way in which you use people's personal data is both lawful and fair.
The GDPR says that you can only process personal data if you have a legal basis for doing so. One of those legal bases is called "legitimate interests". If you want to rely on legitimate interests as your legal basis, you must first assess whether your proposed processing of personal data meets the three elements of the legitimate interests test.
These are:
that there is a legitimate interest;
the legitimate interest is necessary; and
the legitimate interest does not unfairly prejudice the rights and interests of the individual.
The assessment itself should be thorough and well-documented, specifying exactly what you want to do with the data, what benefit this will bring to your organisation, and how any risks will be mitigated. It should also take into account the rights and interests of individuals and how these will be affected by the use of their data. If you can demonstrate that your proposed processing meets all three elements of the test, then you can go ahead and rely on legitimate interests as your legal basis. Otherwise, you will need to look at another legal basis.
The good news is that you don't have to carry out an LIA every time you process personal data – in many cases it will be obvious that your legitimate interests are met. For example, if you want to communicate with someone who has already bought something from you, it's clear that there is a legitimate interest (you're selling them more stuff!) and that this isn't going to prejudice them in any way unfairly. So long as you're not using their data in a way they wouldn't reasonably expect – e.g. by selling it on without their consent – then all being well you won't need to conduct an assessment. However, if you're not sure whether your proposed processing falls within an individual's reasonable expectations or if there may be some other factor which would make the processing unfair, then conducting an LIA would be prudent.
In summary, a Legitimate Interest Assessment helps businesses to stay compliant with the data protection laws by ensuring that their proposed processing of personal data is both lawful and fair.
Solicitor Andrew Swan commented: “I have assisted a lot of business with their LIA’s, which are generally quite straightforward. The key is to make sure you do the assessment in a fair way and ultimately that your legitimate interests balance against the rights and freedoms of the individuals whose data you are looking to process. However, if your intention is to direct market to people, you must also be careful of the restrictions under PECR 2003.”
For more information, please contact Andrew at andrew@andrewswanlaw.co.uk or on tel: 07907 308773.