You are here:
  1. Home
  2. Support services
  3. Practice management
  4. GDPR
  5. Legitimate interests

Legitimate interests

Posted: 5 August 2019

Legitimate interests is one of the lawful bases for using personal data. We recommend you rely on legitimate interests or contract as the lawful basis, rather than consent.

You’re likely to use legitimate interests if there is a minimal impact on the person’s privacy.

Three-part test

You need to follow a three-part test to show that you’ve chosen the right lawful basis. This is called a legitimate interests assessment (LIA).

The ICO have a sample LIA template to assess whether legitimate interest is the right lawful basis for you data processing.

Identify a legitimate interest  

Legitimate interests can include, for example:

  • marketing
  • client data
  • IT security
  • fraud prevention

Legitimate interests can be those of a controller or a third party.

Show it’s necessary 

You must be able to show why it’s necessary to use personal data to achieve your objective. The ICO has more on when processing counts as necessary.

Balance it against the person’s interests

You must balance the legitimate interests against your client’s interests, rights and freedoms.

If your client would not ‘reasonably expect’ you to use the data in the way you’re using it, or if it could cause ‘unwarranted harm’, their interests are likely to override your legitimate interest.

You can read more on balancing legitimate interests on the ICO website.

Recording your decision

Once you’ve completed the three-part test, you need to record your decisions. You also need to tell your client (the data subject) the details of the controller’s or third party’s legitimate interests. This can be done:

  • in your privacy policy
  • by writing to them
  • by telling them

Marketing

To rely on legitimate interests for marketing, you need to show that:

  • using someone’s data will have a minimal impact on their privacy
  • they are not likely to object to you using their data

You may need consent for electronic marketing.

See the ICO’s guidance on electronic and telephone marketing

Children

You can rely on legitimate interests when using children’s data but you should take extra care to make sure their interests are protected. The information in your privacy notice needs to be age-appropriate.

See the ICO’s guidance on children and the GDPR

Data to a third party

You may rely on legitimate interests to disclose personal data to a third party. These might be your own interests, the interests of a third party, or both.

You should consider:

  • why they want the information
  • if they need it
  • what they’ll do with it

If the three-part test is passed, you can rely on legitimate interests for the disclosure.

See more information on legitimate interests on the ICO website

> Next section: Contract as lawful basis

Recommended

professional development centre
GDPR for managers: an introduction

New online course, GDPR for managers featuring downloadable checklists and valuable resources from the Law Society and ICO.

GDPR for managers: an introduction > More