The Data Privacy & Tailored Risk Blog

3 steps you need to take for a Legitimate Interest assessment - PrivIQ

Written by Chloe Boyle | Oct 22, 2020 4:00:00 AM

A Legitimate Interest Impact Assessments (LIA) is a specific type of risk assessment, and as such, needs to be treated with some degree of gravity. If you choose to rely on legitimate interests, you are taking on extra responsibility for considering and protecting people’s rights and interests. The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits. Use this step-by-step process to ensure that there’s no confusion about what was done, why it was done, and how data subjects were respected and protected at every stage of the way.

1. Identify the Interest

Before you process anything, you need to answer some basic questions:

  • Who benefits from processing the data?
  • What are the major goals?
  • Will the public benefit from processing the data?
  • How will people be impacted by processing the data?
  • Does any legislation specifically list the processing activity as legitimate?

The LIA should also qualify the importance of the processing. For example, let’s say a marketer wanted to mail a new home loan offer letter to people that meet certain credit criteria. It’s a limited-time offer sent to those who might be interested in transitioning from renting to owning. If data subjects didn’t receive this loan offer, what impact would it make on the lives of those who received the offer? Would they miss out on a substantial opportunity or is it likely that they would find a similar offer elsewhere?

2. Apply the Necessity Test

The legitimate interest that you’ve identified in step one must be supported by the nature and methodology of the processing. You must identify how the data manipulation will further the goal, and whether there’s a better way to achieve the interest.

In our loan offer example, a marketer might conclude that the people on the list wouldn’t be able to find another loan at such a low rate, thus showing that there’s a legitimate public interest in helping people secure affordable housing.

However, the necessity test might also reveal that there is a less intrusive option available. So rather than weeding people out via their credit scores, the marketer might take a more general approach. For example, sending out a notification to everyone on their mailing list and requesting a follow-up, rather than singling renters out.

3. Perform a Balancing Test

The balancing test refers to whether the final impact on data subjects is more important than your final goals. You must consider the nature of your relationship with data subjects, how sensitive the data is, and whether a person would expect you to use the data for this purpose.

In the case of a home loan offer, you could argue that there is a power imbalance between data subjects and the company. Those who don’t qualify are at the mercy of several market forces and might be desperate to find a rate that they can budget for. However, you could also counter that people could reasonably expect you to send mailers out to renters who do want to own a home. Marketing is becoming more specific these days, and companies who can’t tailor their strategies are likely to be left behind.

Now is the time to delve into the lawful basis for processing and what safeguards can be implemented to minimise the ramifications. Balancing tests are especially important if you’re processing special category data (e.g., health information, religious beliefs, etc.) or the personal data of minors. You must speak to the vulnerabilities of subjects in a balance test and what would happen if you chose not to process the data.

The LIA Spectrum

Some LIAs will be relatively simple. They’re a basic assessment that ends with an inevitable green light to the processing. However, some will require more effort, potentially leading to a full data protection impact assessment (DPIA).

The good news is that everything from general research to mailing lists can be a legitimate interest, so you might not be as restricted as you think. For instance, you could, potentially, use your legitimate interest in lieu of express customer consent for direct marketing to existing customers.

The most important part of the LIA is that you’re detailing potential options and settling on the one that will protect people’s best interests.

Safeguards in Place

If there’s a dispute about the legitimacy of your interest, having the right protection measures in place can give you the edge. So, you might immediately delete the data after use, or enable encryption in case of a successful hack on the organisation. If you’re completing a DPIA, you’re required to cover all this information as part of the report. But if you’re doing a more basic LIA assessment, you should still be accounting for potential data leaks or security breaches.

The Nature of Compliance

A legitimate interest impact assessment is often made easier when you have a good template to help you check off the required metrics. Demonstrating GDPR compliance is all about proving that your company is taking real steps to keep people’s data protected.

Because there are no standard formats for the LIA, you should be developing or implementing a standard process that provides specific details regarding your logic for each step. Make sure to keep this document under review and update it whenever there’s a change in your processing.

So, if you decided to use the data collected from your home loan offer to pivot to a debt consolidation offer, you can update your LIA with the reasons for doing so. As with the original LIA, you’ll need to list the benefits and lawful basis of your decisions. If you’re having any reservations after performing your balance test, you might consider adjusting the processing metrics or considering a different lawful basis for your actions.

There’s a lot to know about risk assessments, but the GDPR is primarily looking for good-faith efforts. If you make your data subjects’ best interests a priority, you’re unlikely to violate compliance rules.