GDPR legitimate interests assessment guide & worked example

by
Lazy with her hands out balancing the risks of applying legitimate interests to data processing

It’s one of the most flexible lawful bases under GDPR but applying it comes with some caveats. To apply legitimate interests you need to be sure that your processing activity fulfils your purposes, is necessary and doesn’t override the interests or fundamental rights and freedoms of the data subject.

In other words, your use of legitimate interests needs to be justified.

To assess whether your chosen legitimate interest is justified or not, it is recommended to complete an L.I.A. (legitimate interests assessment) – also known as the “three part test”.

The three part test is not specifically referenced in the legal text of GDPR but Article 6(f) of the legal text does state that data processing can be lawful when the

“processing is necessary for…the purposes of the legitimate interests pursued by the controller or by a third party,…except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

It’s from this text that the three part test has been derived, covering:

  • Purpose test – is there a legitimate interest behind the processing?
  • Necessity test – is the processing necessary for that purpose?
  • Balancing test – is the legitimate interest overridden by the individual’s interests, rights or freedoms?

In this article we’ll look at each part of the test in detail and work through it with an example to help put it in context.

Course slide showing a basic diagram of a product recommendation engine for a train company which is processing personal data about a data subjects under legitimate interests.
Course slide from our Online GDPR Course

Purpose test

In this first part of the assessment you need to clearly define your purpose for data processing and assess whether it is really a “legitimate interest”. Remember that a vague purpose for processing is not sufficient, for example “for marketing”. This is too vague because it does not detail how or what will happen to data and it is not possible to anticipate all the potential risks to an individual’s privacy from this statement. 

As mentioned in the introduction of this article we’ll work through this test with you, with an example.

Our example is based on a train company who has specified one of their purposes for processing as “to provide suggestions and recommendations to customers about services that we feel may interest them“. The train company holds records about customers’ past ticket purchases in their online system, it includes data such as the time and date of purchase, the journey details including the destination and time and date the journey begins, the amount paid for the tickets and the class of ticket.

The company wants to set up a recommendation system, which will analyse customers’ purchases and make recommendations to them about ticket offers when they next access their online account.

They determine the processing activity as “To make suggestions and recommendations to customers about goods or services that we feel may interest them“.

The train company determines that legitimate interests may be an appropriate lawful basis for this processing and so they begin with the purpose test.

In a purpose test you should consider:

  • Why do you want to process the data?
  • What benefit do you expect to get from the processing?
  • Do any third parties benefit from the processing?
  • Are there any wider public benefits to the processing?
  • How important are those benefits?
  • What would the impact be if you couldn’t go ahead?
  • What is the intended outcome for individuals?
  • Are you complying with other relevant laws?
  • Are you complying with industry guidelines or codes of practice?
  • Are there any ethical issues with the processing?

Source: ICO guidance

The train company answers like so:

The reason for processing is to make recommendations about products and services to customers. The intended benefit is increased sales of tickets which will help us grow our business. No third parties will benefit from this data processing. There are no wider public benefits to the processing. The impact on the company could be negative if we could not go ahead as the market is competitive and sales may drop which could lead to financial challenges. The company cannot identify any issues with other laws in completing this processing. The company is complying with all other industry guidelines and codes of practice in this activity, the company has consulted with National Rail’s Code of Practice on retail information for rail tickets and services as part of this process. The company does not foresee any ethical issues with processing a limited set of personal data for the purposes of making helpful recommendations.

The train company reviews their notes and decides that their intended processing meets the purpose test.

Necessity test

In the second test you must consider whether the processing activity you have defined is actually necessary to achieve your desired outcomes.

In the necessity test you should consider:

  • Will the processing actually help you achieve your purpose?
  • Is the processing proportionate to that purpose?
  • Can you achieve your purpose without processing the data, or by processing less data?
  • Can you achieve your purpose by processing the data in another more obvious or less intrusive way?

Source: ICO guidance

You should be aware that “it’s the most convenient way” is not a justification for whether the specific processing task is necessary. If there is a way to achieve the same outcome with less data or without processing data – in other words if there’s a more privacy friendly way to get the same results – then you generally should pursue that instead.

The train company answers the test like so:

The processing of the personal data with our recommendation system will help us achieve our goal of providing good recommendations to our customers and therefore will improve our sales. The processing is proportionate, only the data required to generate good recommendations will be used. It is not possible to generate relevant recommendations without at least some analysis of data, such as by analysing the customer’s previous ticket purchases so the data we plan to use is necessary. If the data used is not adequate it may generate irrelevant recommendations which could be annoying or disruptive to customers.

The train company reviews their notes and decides that their intended processing meets the necessity test.

Balancing test

In the third and final test you must consider the interests and fundamental rights and freedoms of the individual, and whether these override the legitimate interests you have identified.

As part of this test you will want to consider:

  • the nature of the personal data you want to process
    • Is the data special-category data under GDPR?
      • Special category data is sensitive data that includes: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (where used for identification purposes), data concerning health, data concerning a person’s sex life or data concerning a person’s sexual orientation.
    • Is the data particularly sensitive or revealing?
    • Does the data relate to people who should be afforded additional protections such as vulnerable people and children?
  • the reasonable expectations of the individual
    • could the data subject reasonably expect this data processing to take place? what protections would the data subject expect?
    • Do you have an existing relationship with the individual? If so, what is the nature of that relationship?
    • How have you used their data in the past?
    • Did you collect data directly from the individual?
    • What did you tell individuals at the time?
    • If you obtained the data from a third party, what did they tell individuals about reuse of the data by third parties for other purposes?
    • How long ago was the data collected? Are there any changes in technology or other context since that time that would affect current expectations?
    • Is your intended purpose and method obvious or widely understood?
    • Are you intending to do anything new or innovative?
    • Do you have any actual evidence about expectations, e.g. from market research, focus groups or other forms of consultation?
  • the likely impact of the processing on the individual and whether any safeguards can be put in place to mitigate negative impacts
    • could the processing put the data subject at risk?
    • could there be physical or mental harm as a result of the processing?
    • could the processing impact the data subjects ability to exercise their rights?
    • Is there a risk of discrimination or reputational damage?
    • Is there a risk of financial loss, identity theft or fraud?

The train company answers as this test as so:

The nature of processing.

The data is not special-category data under GDPR. The data is not particularly sensitive or revealing. It is possible to buy train tickets using our online platform from age 16, therefore some of the data may technically relate to children. However the data is still considered low risk and steps are taken to ensure that all data subjects including children are aware of how their data will be processed as part of our privacy policy and privacy notices.

The reasonable expectations.

We believe data subjects may reasonably expect this processing to take place because making recommendations based on past purchases is common practice on e-commerce websites. We believe the data subject would expect that we would not share the data outside of our own company to do this and that we would not try to enhance the data from outside sources. We have a relationship with all affected data subjects as past customers. We have used their data previously to deliver our train services to them. Data has been collected directly from individuals when they have made previous purchases. At the time we informed people via our privacy policy that we may use their data for research, analytics and marketing purposes in order to improve our products and services and to grow our business. We have not talked specifically about using data as part of a recommendation engine. The data that will be used will be data collected within the last 2 years. We feel that because making product recommendations has become widespread practices on e-commerce websites that our processing will be understood by data subjects. We have not run any market research on these proposals.

The likely impact and whether any safeguards can be put in place to mitigate negative impacts.

We cannot anticipate any physical or mental harm from the result of this processing. We do not feel like this processing puts the data subjects at risk since the processing is automated requiring no human review and the resulting data produced by the processing is only delivered to the data subject when they login to our website. We cannot anticipate any risk of discrimination or reputational damage. We cannot anticipate any risk of financial loss, identify theft or fraud as a result of this processing. We will take steps to keep the data processed and the resulting recommendations secure regardless. We will continue to follow our data security policies when performing this data processing activity.

Forming a conclusion

After completing each of the three tests you will want to evaluate them individually and then together as a whole to determine whether you should continue with your plans to process data for the specified reason under legitimate interests.

You will also want to identify any safeguards you can put in place to minimise risk to data subjects. For example this may include redesigning the processing activity to use less data, strengthening or updating your data security policies, setting up notices and communications which explain to data subjects what will be happening with their data or adding an “opt-out” function (please note this is separate to the idea of opt-in/opt-out for consent).

For the train company example they may consider an email communication which explains how the new recommendation engine will work and how the data used will be protected, they will also want to update their privacy policy with details of the new legitimate interest defined and to add notices to their website/app to make people aware of these changes.

You will want to weigh up all factors to make your final decision, you should keep in mind that this analysis will be objective. It is not a mathematical exercise with points awarded to each section. What is particularly important is that your reasoning is comprehensive, covers all the key concerns and is well documented so that you can rely on it later if challenged by a data subject or the regulatory authorities. 

If you are struggling with this process – remember, “don’t be evil” with your data processing – it doesn’t work well under GDPR.

Popular posts on Measured Collective

  1. GDPR & Google Workspace: How to stay compliant with GDPR
  2. GDPR & Recaptcha: How to stay compliant with GDPR
  3. Is Google Forms GDPR compliant?
  4. Can an individual get a GDPR fine?
  5. Does GDPR apply to b2b data?
Measured Collective Logo in White on Transparent