urlcv
Back to Documentation

Legitimate Interest Assessments (LIA)

📋 On This Page

  • Overview
  • What is an LIA
  • Key Features
  • Usage Guide
  • How It Works
  • GDPR Compliance
  • Best Practices
  • Common Use Cases
  • Related Features

    • ---

    Overview

    Legitimate Interest Assessments (LIAs) are required under GDPR Article 6(1)(f) when processing personal data based on legitimate interests. This system provides a complete LIA management workflow compliant with ICO (UK) and DPC (Ireland/EU) guidance.

    ---

    What is a Legitimate Interest Assessment?

    An LIA is a three-part test that must be completed before processing personal data under the legitimate interests lawful basis:

  • Purpose Test — Is there a legitimate interest?
  • Necessity Test — Is the processing necessary?
  • Balancing Test — Do the legitimate interests outweigh individual rights?

    • ---

    Key Features

    1. Three-Part Test Structure

    Part 1: Purpose Test

  • Processing activity description
  • Purpose description
  • Purpose justification
  • Why this purpose is legitimate

    • Part 2: Necessity Test

  • Necessity description
  • Alternative approaches considered
  • Why alternatives are inadequate
  • Why processing is necessary

    • Part 3: Balancing Test

  • Individual impact assessment
  • Individual expectations
  • Balancing outcome
  • Safeguards implemented
  • Data minimization measures

    • ---

    2. Workflow Management

    Statuses:

  • draft — Initial creation, being written
  • under_review — Submitted for review
  • approved — Approved and active
  • rejected — Rejected, not approved

    • Review Process:

  • Create LIA in draft status
  • Complete all three-part test sections
  • Submit for review
  • Reviewer approves or rejects
  • Approved LIAs are ready for audit evidence when sharing submissions

    • ---

    3. Annual Review Tracking

    Review Management:

  • Next review date set on approval
  • Review notes and history
  • Manual monitoring of review dates

    • Best Practice:

  • Review LIAs annually
  • Update if processing changes
  • Document any changes

    • ---

    4. Submission Linking

    Approved LIAs are stored for audit purposes. Submissions do not yet link to LIAs automatically, so keep the latest approved assessment on file for the relevant processing activity.

    ---

    Usage Guide

    Creating an LIA

  • Navigate to AdminLegitimate Interest AssessmentsCreate New
  • Enter basic information:
    • - Title - Processing activity name
  • Complete Part 1: Purpose Test
    • - Describe the processing activity - Explain the purpose - Justify why purpose is legitimate
  • Complete Part 2: Necessity Test
    • - Explain why processing is necessary - Describe alternative approaches considered - Explain why alternatives are inadequate
  • Complete Part 3: Balancing Test
    • - Assess individual impact - Consider individual expectations - Document balancing outcome - List safeguards implemented - Describe data minimization measures
  • Set next review date
  • Save as draft

    • ---

    Submitting for Review

  • Open LIA in draft status
  • Review all sections are complete
  • Click Submit for Review
  • Status changes to under_review
  • Reviewer picks it up from the LIA list

    • ---

    Reviewing an LIA

  • Navigate to AdminLegitimate Interest Assessments
  • Filter by under_review status
  • Open LIA for review
  • Review all three parts
  • Add review notes
  • Approve or reject:
    • - Approve — Set next review date, status becomes approved - Reject — Add rejection reason, status becomes rejected

    ---

    How It Works

    LIA Structure

    Each LIA contains three required sections:

    Part 1: Purpose Test

  • What is the processing activity?
  • What is the legitimate interest?
  • Why is this purpose legitimate?

    • Part 2: Necessity Test

  • Why is processing necessary?
  • What alternatives were considered?
  • Why are alternatives inadequate?

    • Part 3: Balancing Test

  • What is the impact on individuals?
  • What are individual expectations?
  • Do legitimate interests outweigh individual rights?
  • What safeguards are in place?

    • ---

    Validation

    LIA Validity:

  • Must be approved status
  • Review must not be overdue
  • Submissions currently do not enforce LIA selection, so check validity before relying on it
  • Status displayed in interface

    • ---

    GDPR Compliance

    ICO Guidance Compliance

    UK ICO Three-Part Test:

  • Purpose test: ✓ Implemented
  • Necessity test: ✓ Implemented
  • Balancing test: ✓ Implemented

    • Documentation Requirements:

  • Complete LIA records
  • Review tracking
  • Approval workflow
  • Audit logging

    • ---

    DPC Guidance Compliance

    Ireland/EU DPC Requirements:

  • Three-part test structure
  • Documented assessments
  • Regular reviews
  • Safeguards documentation

    • ---

    Best Practices

  • Complete All Sections — Don't skip any part of the three-part test
  • Be Specific — Detailed descriptions are better
  • Consider Alternatives — Document why alternatives don't work
  • Review Annually — Set and track review dates
  • Link to Submissions — Use LIAs for legitimate interest processing
  • Document Safeguards — List all data protection measures
  • Update When Needed — Review and update if processing changes

    • ---

    Common Use Cases

    Candidate Submissions

  • Processing candidate data to share with clients
  • Legitimate interest: Facilitating recruitment
  • Necessity: Core business function
  • Balancing: Candidate benefits from placement opportunity

    • Email Notifications

  • Sending submission notifications to clients
  • Legitimate interest: Business communication
  • Necessity: Essential for service delivery
  • Balancing: Minimal impact, clear benefit

    • ---

    🔗 Related Features

  • GDPR Audit Trail — Audit logging
  • Privacy Notices & ROPA — Privacy notices
  • Submissions & Tracking — Using LIAs with submissions