GDPR-DOC-03-2 Legitimate Interest Assessment Procedure

Implementation guidance

The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text and certain generic terms, see the Completion Instructions document.

Purpose of this document

This procedure sets out how a legitimate interest assessment should be conducted, in order to determine whether this lawful basis may apply to a specific processing of personal data.

Areas of the GDPR addressed

The following article of the GDPR is addressed by this document:

• Article 6 – Lawfulness of processing

General guidance

Legitimate interest is a useful alternative to relying on consent for processing and may be appropriate in several instances, but you must be able to show that you have reached this conclusion based on a reasonable consideration of the issues involved.

Review frequency

We would recommend that this document is reviewed at least annually.

Document fields

This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”.

To update this field (and any others that may exist in this document):

1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name.

2. Press Ctrl A on the keyboard to select all text in the document (or use Select, Select All via the Editing header on the Home tab).

3. Press F9 on the keyboard to update all fields.

4. When prompted, choose the option to just update TOC page numbers.

If you wish to permanently convert the fields in this document to text, for instance, so that they are no longer updateable, you will need to click into each occurrence of the field and press Ctrl Shift F9.

If you would like to make all fields in the document visible, go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check you have updated all fields correctly.

Further detail on the above procedure can be found in the toolkit Completion Instructions. This document also contains guidance on working with the toolkit documents with an Apple Mac, and in Google Docs/Sheets.

Copyright notice

Except for any specifically identified third-party works included, this document has been authored by CertiKit, and is ©CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.

Licence terms

This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence.

If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third-party copyright included in this document.

Disclaimer

Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use.

Therefore, please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country.

You should take all reasonable and proper legal and other professional advice before using this document.

CertiKit makes no claims, promises, or guarantees about the accuracy, completeness or adequacy of our document templates; assumes no duty of care to any person with respect its document templates or their contents; and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.

Legitimate Interest Assessment Procedure

DOCUMENT REF GDPR-DOC-03-2

VERSION 1

DATED [Insert date]

DOCUMENT AUTHOR [Insert name]

DOCUMENT OWNER [Insert name/role]

Revision history

Approval

1 Introduction

There are six alternative ways in which the lawfulness of a specific case of processing of personal data may be established under the GDPR. It is [Organization Name] policy to identify the appropriate basis for processing and to document it, in accordance with the Regulation.

The options may be listed as follows:

• Consent

• Performance of a contract

• Legal obligation

• Vital interests of a data subject

• Task carried out in the public interest

• Legitimate interest

This procedure is intended to be used when it has been identified that the lawful basis of processing in a case might be based on legitimate interest.

This procedure should be considered in conjunction with the following related documents:

• Data Protection Policy

• Records Retention and Protection Policy

• Personal Data Analysis Procedure

• Data Subject Request Procedure

• Data Protection Impact Assessment Process

2 Legitimate interest assessment procedure

The GDPR allows for the processing of personal data to be lawful where “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child” (GDPR Article 6, para 1(f))

In general, legitimate interest will apply in cases where the processing might reasonably be expected by the data subject and where its impact on the data subject’s privacy is not significant. It may also apply where there is a strong, justified reason for the organisation to carry out the processing. In Recital 47, the GDPR mentions the examples of fraud prevention and direct marketing as being good candidates for legitimate interest, as long this could reasonably be expected by the data subject, for example where he/she is an existing customer of the controller.

In order to fully establish, and be able to show, that legitimate interest is a reasonable basis for processing in a specific case, a three-part test must be applied.

This test requires the organisation to demonstrate:

1. the precise nature of the legitimate interest (the Purpose test)

2. that the processing is necessary for the legitimate interest (the Necessity test)

3. that the data subject’s interests, rights and freedoms do not override the organisation’s legitimate interests (the Balancing test)

This procedure uses the Legitimate Interest Assessment Form to document each of the above tests and provide evidence, when required, that a fair assessment has been carried out.

All three tests are to a great extent subjective in nature, and care should be taken that a fair and balanced approach is used, and a reasonable, defensible conclusion drawn.

2.1 The purpose test

The purpose test seeks to establish whether the interest stated is indeed legitimate for the organisation, or for a relevant third party. This test involves defining the exact reasons for the processing and the benefits of it.

On the Legitimate Interest Assessment Form, provide a considered answer to the stated questions in the following areas, including any further detail where appropriate.

2.1.1 Objectives

Describe what the processing is intended to achieve, in particular:

• What are the objectives of the processing?

• How will you know if it has achieved its purpose?

• How likely are the objectives to be met by the processing?

Try to provide a clear statement of exactly what the processing involves, for example direct marketing of supplementary products and services to existing customers, leading to more sales.

2.1.2 Benefits

Assess what the results of the processing provide:

• What benefits (could) derive from the processing?

• How significant are these benefits (quantify if possible)?

• Who will receive the benefits of the processing, for example the organisation, the public, the data subject?

Give as rounded a view as possible of the overall benefits of the processing to all parties involved, not just for the organisation. Continuing with the direct marketing example, information about your products may provide customers with a solution to a problem they have, and you may be offering a discount.

2.1.3 Impact of not processing

Describe the potential impact of not processing the personal data in the way proposed.

• How significant would the impact be?

• How likely is it that the impact would be felt?

• Who would be impacted by not processing?

This may simply be the opposite of the benefits, but for example (direct marketing again), if the organisation needs more sales to remain viable, then an impact of not processing the personal data could be job losses.

2.1.4 Other issues

Any other issues that might be relevant:

• Has this processing been carried out before, and if so, what were the results?

• Is the processing ethical?

• Would the processing have any negative impact and, if so, what and for whom?

There may be other factors for and against the processing and it is important to present a balanced view. Try to use firm facts where possible, rather than subjective opinions.

2.2 The necessity test

For legitimate interest to be a valid lawful basis for processing personal data, it must be shown that the processing is required for the benefit to be gained. Consider whether there are other ways to achieve the objectives stated in the purpose test which don’t involve processing the personal data or involve processing less of it.

On the Legitimate Interest Assessment Form, explain why the processing must happen in the way described for the intended benefits to be forthcoming. In particular:

• How does the processing relate to the benefits expected?

• Is the processing as proposed the best way to achieve the result?

• What alternatives have been considered and why were they rejected?

Staying with the direct marketing theme, the objective of increasing sales could be met via advertising which doesn’t involve the processing of personal data. However, this method may not provide as good a return on investment as emailing customers who have already purchased similar products and services.

2.3 The balancing test

Having established the nature of the interest, its benefits and the fact that the processing is necessary for the benefits to be gained, the final step is to assess whether the identified interest overrides the privacy interests of the data subjects involved.

Use the Legitimate Interest Assessment Form to assess this balance of interests by addressing the following questions:

• Who are the data subjects?

How can the data subjects be typically categorized? Pay attention to whether any of them belong to vulnerable groups such as children, or if there are any cultural considerations.

• What is the organisation’s relationship with the data subject?

Consider whether the organisation is known to the data subject and if so, what the nature of the relationship is, for example are they a customer, a service user or an applicant?

• What personal data are involved in the processing?

Do any of the personal data being processed fall into special or sensitive categories, such as political opinion or biometric, for example fingerprints

• What is the likely reaction of the data subject to the processing?

Would the data subject reasonably expect the processing to be carried out or are they likely to regard it as intrusive or inappropriate? Any consultation with representatives of the data subjects would add weight to the case in this area.

• What is the potential impact on the data subject?

What consequences could the processing have on the data subject, for example could it take their time, affect their reputation or cost them money?

• How could the impact on the data subject be lessened?

Are there any techniques or approaches that could be used to reduce the impact on the data subject, for example emailing rather than telephoning, or give them an element of choice e.g. an unsubscribe or opt-out?

2.4 Assessment decision

Once the three tests have been completed, an assessment must be made about whether, on balance, the processing may be lawful based on legitimate interest.

The decision made must be recorded on the Legitimate Interest Assessment Form together with details of who carried out the assessment and when, and who approved the decision.

Records of legitimate interest assessments must be retained as evidence that such an assessment was carried out, and as input to the relevant privacy notice.