Performing a Legitimate Interest Assessment (LIA) in ECOMPLY

According to Article 10, LGPD, and Article 6, GDPR, controllers can process personal data based on a legitimate interest. The big question that needs to be answered is: when is an interest legitimate and when isn’t it? Typically, this question is answered in a process called the Legitimate Interest Assessment or LIA. In this article, we will show you how ECOMPLY supports data protection officers in performing a LIA. This process is based on the recommendations of European data protection authorities.

Process

In order to assess whether a processing is legitimate, it is necessary to weigh the risks of processing against the benefits of the processing. If the risks for data subjects are acceptable and the benefits outweigh the risks, then the processing can be assumed to be legitimate. 

The bigger questions of legitimacy can be subdivided into smaller questions. Taken together, the answers to these questions provide the LIA.

Why is PII being processed?

When justifying legitimate interest as the legal basis, it is recommended to reiterate why the PII is being processed. The point is to identify who the benefactors of the processing are. Especially if the benefactor of the processing is solely the controller, it is important to describe the reasoning behind it. A typical example is Web Tracking, which is commonplace and seems to initially have no immediate benefit to the data subject.

What benefits arise for the controller?

In case the answer to the previous question listed other benefactors aside from the controller, this question is meant to dig deeper into the benefits of the controller. After all, the LIA is about identifying the legitimacy of the controller's interests. If the controller is the sole benefactor, this might point to missing legitimacy.

Do other parties also benefit from the processing?

As the controller being the sole beneficiary points to missing legitimacy, then having multiple other beneficiaries points to the opposite. As such, it is a relevant consideration of the LIA to identify possible other benefiting parties. More benefactors add to legitimacy.

Does a public interest exist in the processing?

If the public has a benefit or even an active interest in the processing, then justifying legitimacy becomes much easier. As such, this question is meant to trigger the assessor into considering this point of view.

Why are the benefits important to the controller?

Use this opportunity to highlight the importance of the processing. State why it is important and why not doing the processing would be a problem for the controller.

Does the controller adhere to data protection laws?

Of course, you would not be working on a LIA if the controller at hand was not committed to data protection. Regardless, it is recommended to make this commitment explicit by stating the adherence to all applicable data protection laws.

Does the processing (actually) assist to achieve the described benefit?

One small pitfall is to claim a controller benefit and then realize that the processing is not actually contributing (much) to the achieving said benefit. This question is a reminder to pay special attention to the link between the processing and achieving the legitimate controller benefit.

Is there any other way to achieve the benefit?

Controllers are required by law to carry out privacy by design and by default, working with the minimum possible amount of personal data. As such, every processing consideration shall weigh whether alternatives that are less invasive exist (with reasonable effort and similar results). If no better alternatives exist, this helps to argue the legitimacy of the processing.

Is this processing as minimally invasive as possible to achieve this benefit?

Similar to the question of alternatives, the LIA makes a point of clarifying that the processing at hand is tuned to be minimally invasive. For example, it should not collect personal data that is not actually needed.

Result

The ECOMPLY LIA assistant provides the structure and tools to quickly conduct a LIA. The answers to the above questions are immediately converted into the LIA justification text. This text can be readily inserted into the documentation of the processing activity at hand.

‍

‍