urlcv .com
Back to Documentation

Legitimate Interest Assessments (LIA)

Overview

Legitimate Interest Assessments (LIAs) are required under GDPR Article 6(1)(f) when processing personal data based on legitimate interests. This system provides a complete LIA management workflow compliant with ICO (UK) and DPC (Ireland/EU) guidance.

What is a Legitimate Interest Assessment?

An LIA is a three-part test that must be completed before processing personal data under the legitimate interests lawful basis:

  • Purpose Test - Is there a legitimate interest?
  • Necessity Test - Is the processing necessary?
  • Balancing Test - Do the legitimate interests outweigh individual rights?

    • Key Features

    1. Three-Part Test Structure

    Part 1: Purpose Test

  • Processing activity description
  • Purpose description
  • Purpose justification
  • Why this purpose is legitimate

    • Part 2: Necessity Test

  • Necessity description
  • Alternative approaches considered
  • Why alternatives are inadequate
  • Why processing is necessary

    • Part 3: Balancing Test

  • Individual impact assessment
  • Individual expectations
  • Balancing outcome
  • Safeguards implemented
  • Data minimization measures

    • 2. Workflow Management

    Statuses:

  • draft - Initial creation, being written
  • under_review - Submitted for review
  • approved - Approved and active
  • rejected - Rejected, not approved

    • Review Process:

  • Create LIA in draft status
  • Complete all three-part test sections
  • Submit for review
  • Reviewer approves or rejects
  • Approved LIAs are ready for audit evidence when sharing submissions

    • 3. Annual Review Tracking

    Review Management:

  • Next review date set on approval
  • Review notes and history
  • Manual monitoring of review dates

    • Best Practice:

  • Review LIAs annually
  • Update if processing changes
  • Document any changes

    • 4. Submission Linking

    Approved LIAs are stored for audit purposes. Submissions do not yet link to LIAs automatically, so keep the latest approved assessment on file for the relevant processing activity.

    Usage Guide

    Creating an LIA

  • Navigate to AdminLegitimate Interest AssessmentsCreate New
  • Enter basic information:
    • - Title - Processing activity name
  • Complete Part 1: Purpose Test
    • - Describe the processing activity - Explain the purpose - Justify why purpose is legitimate
  • Complete Part 2: Necessity Test
    • - Explain why processing is necessary - Describe alternative approaches considered - Explain why alternatives are inadequate
  • Complete Part 3: Balancing Test
    • - Assess individual impact - Consider individual expectations - Document balancing outcome - List safeguards implemented - Describe data minimization measures
  • Set next review date
  • Save as draft

    • Submitting for Review

  • Open LIA in draft status
  • Review all sections are complete
  • Click Submit for Review
  • Status changes to under_review
  • Reviewer picks it up from the LIA list

    • Reviewing an LIA

  • Navigate to AdminLegitimate Interest Assessments
  • Filter by under_review status
  • Open LIA for review
  • Review all three parts
  • Add review notes
  • Approve or reject:
    • - Approve: Set next review date, status becomes approved - Reject: Add rejection reason, status becomes rejected

    How It Works

    LIA Structure

    Each LIA contains three required sections:

    Part 1: Purpose Test

  • What is the processing activity?
  • What is the legitimate interest?
  • Why is this purpose legitimate?

    • Part 2: Necessity Test

  • Why is processing necessary?
  • What alternatives were considered?
  • Why are alternatives inadequate?

    • Part 3: Balancing Test

  • What is the impact on individuals?
  • What are individual expectations?
  • Do legitimate interests outweigh individual rights?
  • What safeguards are in place?

    • Validation

    LIA Validity:

  • Must be approved status
  • Review must not be overdue
  • Submissions currently do not enforce LIA selection, so check validity before relying on it
  • Status displayed in interface

    • GDPR Compliance

    ICO Guidance Compliance

    UK ICO Three-Part Test:

  • Purpose test: ✓ Implemented
  • Necessity test: ✓ Implemented
  • Balancing test: ✓ Implemented

    • Documentation Requirements:

  • Complete LIA records
  • Review tracking
  • Approval workflow
  • Audit logging

    • DPC Guidance Compliance

    Ireland/EU DPC Requirements:

  • Three-part test structure
  • Documented assessments
  • Regular reviews
  • Safeguards documentation

    • Best Practices

  • Complete All Sections - Don't skip any part of the three-part test
  • Be Specific - Detailed descriptions are better
  • Consider Alternatives - Document why alternatives don't work
  • Review Annually - Set and track review dates
  • Link to Submissions - Use LIAs for legitimate interest processing
  • Document Safeguards - List all data protection measures
  • Update When Needed - Review and update if processing changes

    • Common Use Cases

    Candidate Submissions:

  • Processing candidate data to share with clients
  • Legitimate interest: Facilitating recruitment
  • Necessity: Core business function
  • Balancing: Candidate benefits from placement opportunity

    • Email Notifications:

  • Sending submission notifications to clients
  • Legitimate interest: Business communication
  • Necessity: Essential for service delivery
  • Balancing: Minimal impact, clear benefit

    • Related Features

  • GDPR Audit Trail
  • Privacy Notices & ROPA
  • Submissions & Tracking