How to Conduct a Legitimate Interest Impact Assessment

Be compliant with the GDPR by creating a Legitimate Interest Assessment

In 2018, the European Union passed the most sweeping consumer privacy protections with the General Data Protection Regulation. While this set of regulations is specific to the EU, it has a global impact. If you're a business that stores or processes the personal information of EU citizens, then you must comply.

If you want to minimize your organization's risk when it comes to GDPR, then you should conduct a Legitimate Interest Impact Assessment. Unfamiliar? Read on to learn more!

What Is a Legitimate Interest Impact Assessment?

A legitimate interest impact assessment (LIA) a term that describes a risk assessment that businesses utilize in order to determine whether their purpose for processing personal data is based upon a legitimate interest of the business. 

GDPR does not identify specific factors that a business must consider when it comes to determining whether your purpose for storing or processing personal data is a legitimate interest. That said, when you identify your purposes, you must define them clearly and specifically. Vague descriptions of purpose will not do, and interests must be balanced with the rights and interests of the data subjects.

The LIA is a three-part test based upon the definition in GDPR Article 6(f).


The purpose test asks whether there is a legitimate interest in processing private data. There are several questions that you should ask when conducting this part of the test. Remember, you need to be as specific as possible in your answers to all parts of this test.

Ask why you're processing data and what the benefits of the data are. Is processing private data in your interest, and is it an ethical use of private data? What happens if you don't process the data?

Finally, make sure that you have a lawful basis to process the data.


The necessity test asks whether the processing activities you plan to do (or are doing) of the private data you hold is necessary. Specifically, whether it is necessary for the purposes that you have identified and hope to achieve, and that you can articulate the benefits from the processing. 

Ask whether you can achieve your purposes by processing less data or without data entirely. Finally, are there less intrusive methods for achieving your purpose?


The balancing test asks if the legitimate interest is outweighed by the fundamental rights and freedoms of your data subjects.

Not all data is created the same. If you are processing sensitive personal data like biometric, genetic, and health data, then your purposes might be outweighed. The same is true if you're processing information about minors or if there is a high-risk to the individuals as a result of your processing their personal data.

Need Help with GDPR Compliance?

Processing and storing the personal data of EU citizens in the age of GDPR is a risky process. Though it is not mandatory, regularly undertaking a legitimate interest impact assessment can help minimize your business's risk. The more your company does to respect the privacy of individuals, the better off you will be.

A Transfer Impact Assessment provided by Dapple Does your company need assistance with managing your LIA? You've come to the right place! sign up with Dapple today to learn how we can help you easily manage your Legitimate Interest Impact Assessments!

Get started with your Legitimate Interest Impact Assessment today!
How to Conduct a Record of Processing for Personal Data to Comply with the GDPR
How to Conduct a Data Privacy Impact Assessment
How to Conduct a Legitimate Impact Assessment
Do I need to do a Personal Data Transfer Impact Assessment?
Data protection impact assessment template in excel vs Dapple
GDPR compliance - what documents do you need?