Legitimate Interest Assessment Procedure
ISO/IEC 27701 Toolkit: Version 2
Implementation guidance
The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text and certain generic terms, see the Completion Instructions document.
Purpose of this document
This procedure sets out how a legitimate interest assessment should be conducted, in order to determine whether this lawful basis may apply to a specific processing of personally identifiable information (PII).
Areas of the standard addressed
The following areas of the ISO27701 standard are addressed by this document:
ā¢ Annex A
o A.1.2 Conditions for collection and processing
āŖ A.1.2.2 Identify and document purpose
āŖ A.1.2.3 Identify lawful basis
General guidance
Legitimate interest is a useful alternative to relying on consent for processing and may be appropriate in several instances, but you must be able to show that you have reached this conclusion based on a reasonable consideration of the issues involved.
Review frequency
We would recommend that this document is reviewed at least annually.
Document fields
This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property āOrganization Nameā.
To update this field (and any others that may exist in this document):
1. Update the custom document property āOrganization Nameā by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name.
2. Press Ctrl A on the keyboard to select all text in the document (or use Select, Select All via the Editing header on the Home tab).
3. Press F9 on the keyboard to update all fields.
4. When prompted, choose the option to just update TOC page numbers.
If you wish to permanently convert the fields in this document to text, for instance, so that they are no longer updateable, you will need to click into each occurrence of the field and press Ctrl Shift F9.
If you would like to make all fields in the document visible, go to File > Options > Advanced > Show document content > Field shading and set this to āAlwaysā. This can be useful to check you have updated all fields correctly.
Further detail on the above procedure can be found in the toolkit Completion Instructions. This document also contains guidance on working with the toolkit documents with an Apple Mac, and in Google Docs/Sheets.
Copyright notice
Except for any specifically identified third-party works included, this document has been authored by CertiKit, and is Ā©CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.
Licence terms
This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence.
If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third-party copyright included in this document.
Disclaimer
Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use.
Therefore, please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country.
You should take all reasonable and proper legal and other professional advice before using this document.
CertiKit makes no claims, promises, or guarantees about the accuracy, completeness or adequacy of our document templates; assumes no duty of care to any person with respect its document templates or their contents; and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.
Legitimate Interest Assessment Procedure [Insert classification]
Legitimate Interest Assessment Procedure
DOCUMENT CLASSICATION [Insert classification]
DOCUMENT REF PIMS-DOC-A1-2-2
VERSION 1
DATED [Insert date]
DOCUMENT AUTHOR [Insert name]
DOCUMENT OWNER [Insert name/role]
[Insert date]
Revision history
Distribution
NAME
Approval
NAME
Legitimate Interest Assessment Procedure [Insert classification]
1 Introduction
Depending on the privacy legislation involved, there may be a number of alternative ways in which the lawfulness of a specific case of processing of personally identifiable information (PII) may be established. It is [Organization Name] policy to identify the appropriate basis for processing and to document it, in accordance with the relevant privacy legislation.
The options may be listed as follows:
ā¢ Consent
ā¢ Performance of a contract
ā¢ Legal obligation
ā¢ Vital interests of a data subject
ā¢ Task carried out in the public interest
ā¢ Legitimate interest
[Note: this list is based on the EU GDPR]
This procedure is intended to be used when it has been identified that the lawful basis of processing in a case might be based on legitimate interest.
This procedure should be considered in conjunction with the following related documents:
ā¢ Privacy and Data Protection Policy
ā¢ Records Retention and Protection Policy
ā¢ Personally Identifiable Information Analysis Procedure
ā¢ PII Principal Request Procedure
ā¢ Privacy Impact Assessment Process
Legitimate Interest Assessment Procedure
2 Legitimate interest assessment procedure
Privacy legislation may allow for the processing of PII to be lawful where processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, often with some defined exceptions.
In general, legitimate interest will apply in cases where the processing might reasonably be expected by the PII principal and where its impact on their privacy is not significant. It may also apply where there is a strong, justified reason for the organization to carry out the processing, such as in the cases of fraud prevention and direct marketing, as long this could reasonably be expected by the PII principal e.g. where he/she is an existing customer of the controller.
In order to fully establish, and be able to show, that legitimate interest is a reasonable basis for processing in a specific case, a three-part test must be applied.
This test requires the organization to demonstrate:
1. the precise nature of the legitimate interest (the Purpose test)
2. that the processing is necessary for the legitimate interest (the Necessity test)
3. that the PII principalās interests, rights and freedoms do not override the organizationās legitimate interests (the Balancing test)
This procedure uses the Legitimate Interest Assessment Form to document each of the above tests and provide evidence, when required, that a fair assessment has been carried out.
All three tests are to a great extent subjective in nature, and care should be taken that a fair and balanced approach is used, and a reasonable, defensible conclusion drawn.
2.1 The purpose test
The purpose test seeks to establish whether the interest stated is indeed legitimate for the organization, or for a relevant third party. This test involves defining the exact reasons for the processing and the benefits of it.
On the Legitimate Interest Assessment Form, provide a considered answer to the stated questions in the following areas, including any further detail where appropriate.
2.1.1 Objectives
Describe what the processing is intended to achieve, in particular:
ā¢ What are the objectives of the processing?
ā¢ How will you know if it has achieved its purpose?
ā¢ How likely are the objectives to be met by the processing?
Try to provide a clear statement of exactly what the processing involves e.g. direct marketing of supplementary products and services to existing customers, leading to more sales.
2.1.2 Benefits
Assess what the results of the processing provide:
ā¢ What benefits (could) derive from the processing?
ā¢ How significant are these benefits (quantify if possible)?
ā¢ Who will receive the benefits of the processing e.g. the organization, the public, the PII principal?
Give as rounded a view as possible of the overall benefits of the processing to all parties involved, not just for the organization. Continuing with the direct marketing example, information about your products may provide customers with a solution to a problem they have, and you may be offering a discount.
2.1.3 Impact of not processing
Describe the potential impact of not processing the PII in the way proposed.
ā¢ How significant would the impact be?
ā¢ How likely is it that the impact would be felt?
ā¢ Who would be impacted by not processing?
This may simply be the opposite of the benefits, but for example (direct marketing again), if the organization needs more sales to remain viable, then an impact of not processing the PII could be job losses.
2.1.4 Other issues
Any other issues that might be relevant:
ā¢ Has this processing been carried out before, and if so, what were the results?
ā¢ Is the processing ethical?
ā¢ Would the processing have any negative impact and, if so, what and for whom?
There may be other factors for and against the processing and it is important to present a balanced view. Try to use firm facts where possible, rather than subjective opinions.
2.2 The necessity test
For legitimate interest to be a valid lawful basis for processing PII, it must be shown that the processing is required for the benefit to be gained. Consider whether there are other ways to achieve the objectives stated in the purpose test which donāt involve processing the PII or involve processing less of it.
On the Legitimate Interest Assessment Form, explain why the processing must happen in the way described for the intended benefits to be forthcoming. In particular:
ā¢ How does the processing relate to the benefits expected?
ā¢ Is the processing as proposed the best way to achieve the result?
ā¢ What alternatives have been considered and why were they rejected?
Staying with the direct marketing theme, the objective of increasing sales could be met via advertising which doesnāt involve the processing of PII. However, this method may not provide as good a return on investment as emailing customers who have already purchased similar products and services.
2.3 The balancing test
[Note that the balancing test is not required in the UK under the Data (Use and Access) Act 2025 if the processing is necessary for reasons specified in a list of ārecognised legitimate interestsā, although these are only likely to be relevant to public bodies].
Having established the nature of the interest, its benefits and the fact that the processing is necessary for the benefits to be gained, the final step is to assess whether the identified interest overrides the privacy interests of the PII principals involved.
Use the Legitimate Interest Assessment Form to assess this balance of interests by addressing the following questions:
ā¢ Who are the PII principals?
How can the PII principals be typically categorized? Pay attention to whether any of them belong to vulnerable groups such as children, or if there are any cultural considerations.
ā¢ What is the organizationās relationship with the PII principal?
Consider whether the organization is known to the PII principal and if so, what the nature of the relationship is. For example, are they a customer, a service user or an applicant?
ā¢ What PII is involved in the processing?
Does any of the PII being processed fall into special or sensitive categories, such as political opinion or biometric e.g. fingerprints
Legitimate Interest Assessment Procedure [Insert classification]
ā¢ What is the likely reaction of the PII principal to the processing?
Would the PII principal reasonably expect the processing to be carried out or are they likely to regard it as intrusive or inappropriate? Any consultation with representatives of the PII principals would add weight to the case in this area.
ā¢ What is the potential impact on the PII principal?
What consequences could the processing have on the PII principal e.g. could it take their time, affect their reputation or cost them money?
ā¢ How could the impact on the PII principal be lessened?
Are there any techniques or approaches that could be used to reduce the impact on the PII principal e.g. emailing rather than telephoning, or give them an element of choice e.g. an unsubscribe or opt-out?
2.4 Assessment decision
Once the three tests have been completed, an assessment must be made about whether, on balance, the processing may be lawful based on legitimate interest.
The decision made must be recorded on the Legitimate Interest Assessment Form together with details of who carried out the assessment and when, and who approved the decision.
Records of legitimate interest assessments must be retained as evidence that such an assessment was carried out, and as input to the relevant privacy notice.
