GDPR legitimate interests assessment

If you intend to rely on legitimate interests as your lawful basis for processing certain personal data under the UK GDPR, you should first conduct a legitimate interests assessment.

Lawful basis for processing

To process personal data, under the UK GDPR you always need a lawful basis for processing. The three most relevant in the employment context are that the processing is necessary: (1) for performance of a contract, e.g. an employment contract, or to enable you to take steps at the data subject’s request prior to entering into a contract; (2) for compliance with a legal obligation to which you’re subject; or (3) for the purposes of your legitimate interests (or those of a third party), provided the data subject’s interests or their rights and freedoms don’t override your interests.

Legitimate interests test

Of these three, “legitimate interests” is the most flexible lawful basis for processing, but you can’t assume it will always be the most appropriate. It’s likely to be most appropriate where you use employees’ personal data in ways they would reasonably expect and which have a minimal privacy impact, or where there’s a compelling justification for the processing. There are three elements to the legitimate interests basis, so in effect you need to carry out a three-part test. You need to:

• identify a legitimate interest, which can be your own interest or the interest of a third party (purpose test)
• show that the processing is necessary to achieve it (necessity test) - if you can reasonably achieve the same result in a less intrusive way, legitimate interests won’t apply
• balance it against the data subject’s interests, rights and freedoms (balancing test) - if the data subject wouldn’t reasonably expect the processing, or if it would cause them unjustified harm, their interests are likely to override your legitimate interests.

Assessment

Our GDPR Legitimate Interests Assessment (LIA) is designed to enable you to proactively carry out that three-part test and then record the outcome. Once completed, you should keep a record of the LIA to ensure you can justify your decision that legitimate interests is the most appropriate lawful basis for processing and to help you demonstrate UK GDPR compliance in line with your accountability obligations. Then, keep your LIA under review and repeat it if circumstances change, e.g. there’s a significant change in the purpose, nature or context of the processing. Our LIA covers the three tests set out above. In some cases, your completed LIA will be quite short as some of the questions won’t be applicable, but in other cases there will be more to consider. Once you’ve completed the purpose, necessity and balancing tests in the LIA, you then need to make a decision about whether you think legitimate interests is an appropriate basis for processing, and so this is the final section of our document. If you’re not sure about the outcome of the balancing test, it may be safer for you to look for another lawful basis for processing, as you must be confident that your legitimate interests aren’t overridden by the risks you’ve identified.