Privacy Rules

Legitimate Interests

Step By Step Guide For Conducting A Legitimate Interests Assessment

What is “legitimate interest”?

Legitimate interests is a legal basis for processing data by businesses and other entities in a way that respects the data subjects’ (clients, employees, suppliers, etc.) privacy rights.
How does the concept of legitimate interests come about?
If you run a business today, you probably rely quite significantly on your clientele’s data for purposes such as marketing and financial decision making. These purposes represent your “interests.” At the same time, handling data comes with perils associated with exposing your client’s private data, which is both an ethical and legal pitfall. In enabling data processing necessary for many business transactions conducted online and offline, it is critical to expedite the entire procedure. Imagine having to get the permission of your clients every time you wish to process their data. This would be a cumbersome and repetitive procedure that risks delaying business. This is the genesis of the concept of legitimate interests. Based on the stipulations contained in Article 6 of the EU GDPR, legitimate interests allow for the data controller to collect, process and sometimes share data without seeking the express consent of the data subject.
Essentially, a legitimate interests assessment (LIA) is conducted to establish if your data collection and processing approach respects the interests, freedoms and rights of the data subject.
Notably, some tech pioneers in the industry such as Meta and Alphabet have largely failed to implement PbD. For example, the Cambridge Analytica Scandal in 2018 exposed glaring deficiencies in Facebook’s privacy approach and was crucial in necessitating regulatory enforcement such as the GDPR and CCPA. Newer services such as Signal, Duck Duck Go and Proton Mail emerged in response to these concerns. These apps exemplify Privacy by Design since it is the first consideration that went into their creation. The privacy policies, techniques and technologies of these companies reflect their respective levels of dedication to implementing Privacy by Design.

How do you conduct an LIA?

The GDPR does not stipulate a fixed process for conducting an LIA. However, the standard procedure for a LIA generally accepted by  industry experts requires the data controller to do the following:

  • Establish a legitimate interest;
  • Demonstrate a valid reason showing the processing is warranted; and
  • Weigh the identified interests against the interests and rights of the data subject

We can package each of these items into a three-part test respectively, comprising of:

 

  1. PURPOSE TEST

A purpose test essentially interrogates which legitimate interests you, your data subjects and other third parties have in the collected data. Some of the questions you need to ask yourself here include:

  • What is the goal of processing the data?
  • Who does the processing benefit and in what way?
  • What benefits, if any, does the data processing have towards the public?
  • What impact would doing away with the processing have on different stakeholders?
  • Are there ethical and moral concerns in processing the data?
  • What are the industry guidelines related to the processing and are you complying with them?

When conducting the purpose test, remember that a number of parties, not only you and the data subject, may have a legitimate interest. Additionally, there can be more than one legitimate interest and these need to be considered as well.

 

  1. NECESSITY TEST

The essence of the necessity test is whether the processing of the data is necessary and if it aligns with the intended purpose. To pass the necessity test, you must carefully evaluate the extent to which the processing of personal data is required to fulfill their objectives. This involves considering whether the data collected is relevant and adequate for the intended purpose, as well as whether the processing activities are limited to what is strictly necessary. Some of the questions you might consider in regard to data processing at this step include:

  • Will the processing help your business achieve your intended purpose?
  • Are there other less intrusive ways to achieve that purpose?
  • Is the level of processing proportionate to the intended purpose?
  • Is all the processed data necessary or could you achieve the same purpose with less data?

Here, you as the data controller are trying to establish whether there are better ways to achieve your purpose without the data processing. If there is no better alternative that emerges after answering these questions, then the processing is necessary. In this case you can rely on the LIA as a lawful basis for proceeding with the data processing.

 

  1. BALANCING TEST

Finally, the balancing test is the step where you assess the impacts of data processing on different stakeholders, primarily the data subjects. The goal of the balancing test is to establish whether the processing aligns to the interests that you are after. Some of the questions that could facilitate your balancing test include:

  • What relationship do you have with the data subject?
  • Would the data subject reasonably expect you to process their data?
  • What impact does the processing have on the individual and to what extent?
  • Are there safeguards that you can put in place to reduce the impact?
  • Is the data subject a vulnerable person (for example, a child or a patient)?
  • Can you explain the full extent of data use?

The balancing test can be seen as a decision based on three factors: nature, impact and safeguards relating to the data. Nature encompasses factors like the type of data, and expectations of the individual. The impact of processing includes any positive or negative effects on the data subject, controller, society and any third parties in view of their respective status and processing approach. Safeguards encompass privacy protection tools such as data minimization, anonymization, encryption among others. A thorough and fair balancing test weighs and takes due regard to all the rights and freedoms of the data subject.

 

What comes after the balancing test?

If the outcome of the balancing test does not favor your interest, you can reduce the scope of the data processing then conduct another balancing test. Where such a scaled-down processing is not possible, the right course is to find an alternative legal basis, or do away with the processing.

These crucial steps include:

  1. Maintaining a record of your LIA and its outcome as this helps demonstrate that you have proper procedures for decision-making. It also helps in codifying the LIA process for future use and refinement. Although this is not a mandatory step, it is worth implementing to ensure that nothing is overlooked.
  2. Reviewing your LIA continuously and update it according to changing purpose or nature of processing.
  3. Consider whether another assessment criterion such as DPIA (Data Protection Impact Assessment) and/or TIA (Transfer Impact Assessment) is needed. In some cases, the legitimate interests by itself might fall short and this poses significant risks to your data subjects.

Here is a checklist that can come  handy in ensuring that your LIA comprehensively addresses the threshold for data protection:

  • We understand our duty to protect the rights and interests of individuals whose data we process.
  • We have identified the legitimate interests that apply to our data processing activities.
  • Data usage aligns with what individuals would reasonably expect, barring exceptional reasons.
  • A legitimate interests assessment (LIA) has been conducted and recorded, providing a basis for processing.
  • An opt-out option has been considered for the data subjects.
  • We have assessed that our processing is necessary and there’s no less invasive method to achieve the same goal.
  • We have evaluated potential safeguards to minimize any adverse impact on individuals.
  • We review and update our LIA regularly, especially when circumstances change.
  • If processing children’s data, we take additional precautions to safeguard their interests.
  • If our LIA indicates a high privacy risk, we have considered conducting a Data Protection Impact Assessment (DPIA).
  • We refrain from using individuals’ data in intrusive or potentially harmful ways, unless a strong justification exists.
  • Our privacy information includes details about our reliance on legitimate interests as a legal basis for processing.
  • The balancing test confirms that the legitimate interests do not outweigh the rights and interests of individuals.

Some important takeaways

The LIA follows three concepts:

  • Identify a legitimate interest (purpose test);
  • Establish whether processing of personal data is necessary (necessity test); and
  • Weigh the established interests against each other (balancing test)

Addressing all three tests above and recording your responses should lead you to an unbiased conclusion regarding the legality of your data processing. This approach will also demonstrate that you have considered all relevant factors in your LIA. The legitimate interests concept outlined within the GDPR serves as a vital framework for organizations navigating the complexities of data protection compliance.

. The first rule of thumb is that the LIA should always start from the perspective that you use third party data in ways that they would reasonably expect. Generally, when conducting a LIA you must genuinely balance your interests against the individual’s. You should only go ahead with processing if the individual would reasonably expect it and it does not cause them undue harm. An LIA is not a legally mandated undertaking but a prudent activity that ensures you are in compliance with data protection laws. It is a great starting point to streamlining your data processing procedures with other legal and ethical guidelines.

Leave a Reply

Your email address will not be published. Required fields are marked *