Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
If you’re looking for a lawful alternative to consent under UK data protection law, “legitimate interests” can be a useful legal basis - especially for routine business operations and some types of marketing. But to use it safely, you should complete a Legitimate Interest Assessment (LIA). This isn’t just best practice; it’s an important part of your accountability duties under the UK GDPR.
In this guide, we’ll walk you through when to rely on legitimate interests, how to complete a legitimate interest assessment template step-by-step, and what to include in your records so you’re protected from day one.
What Is A Legitimate Interest Assessment (LIA)?
A Legitimate Interest Assessment (LIA) is a short, structured record that shows you’ve thought through whether “legitimate interests” is an appropriate legal basis for processing personal data under Article 6(1)(f) UK GDPR. It typically includes three parts:
- Purpose test - what is the legitimate interest and why is it important to your business?
- Necessity test - is the processing necessary to achieve that interest, or can you reasonably use a less intrusive alternative?
- Balancing test - do the individual’s interests, rights and freedoms override your interest? What safeguards will you put in place to tip the balance in favour of your approach?
Doing an LIA helps you demonstrate the UK GDPR’s accountability principle and is often requested by clients, partners or the ICO during audits or investigations. It’s separate from a DPIA (Data Protection Impact Assessment), which is required for high-risk processing, but the two can complement each other.
When Should Your Business Use Legitimate Interests (And When Not)?
You can rely on legitimate interests where:
- Your purpose is lawful, specific and real (for example, fraud prevention, network security, internal administration, or direct marketing to your own customers within UK rules).
- The processing is necessary to achieve that purpose - you can’t achieve it in a less privacy-intrusive way.
- After balancing, the individual’s rights don’t override your interests - and you’ll apply sensible safeguards.
Common small business scenarios that may fit legitimate interests (subject to the LIA):
- Basic analytics and site security logs to keep your website running securely.
- Customer relationship management (CRM) and retention activities for existing customers.
- Business-to-business (B2B) outreach where you’re targeting company contacts in a proportionate way, with an easy opt-out.
- Limited, targeted direct marketing by email or post to your own customers (noting separate PECR rules for electronic marketing).
When not to use legitimate interests:
- Public authorities performing tasks in the public interest - legitimate interests is generally not available.
- If you’re processing special category data (e.g. health data) without another Article 9 condition.
- Where consent is clearly the more appropriate basis (e.g. optional services, sensitive tracking, or non-essential cookies - consent is typically required for cookies under PECR).
- When individuals would not reasonably expect the processing and your interest does not outweigh their rights.
If you do rely on legitimate interests, your Privacy Policy should name that legal basis and clearly explain your legitimate interests and the individual’s right to object.
How To Complete A Legitimate Interest Assessment Template (Step-By-Step)
Below is a practical LIA structure you can adapt. Keep it concise (1–3 pages per activity), but complete enough to show your reasoning - that’s what matters if anyone ever asks “why legitimate interests?”
1) Define The Purpose (Purpose Test)
Describe what you want to do and why. Be specific:
- Processing activity: “We will email existing customers about similar products they purchased in the last 12 months.”
- Business interest: “We have a legitimate interest in promoting related products to existing customers to grow revenue and improve retention.”
- Benefit to others: “Customers benefit from relevant offers and updates on complementary products they reasonably expect to hear about.”
Tip: If you can’t explain the purpose clearly in a few lines, it may be too broad - narrow the activity and do separate LIAs for different data uses.
2) Confirm The Legal Basis And Context
- Legal basis: “Article 6(1)(f) UK GDPR - legitimate interests.”
- Why not consent or another basis? Briefly explain why consent is not appropriate (e.g. risk of consent fatigue; processing is expected by the relationship), or why contract/legal obligation isn’t a fit.
- Who is affected: “Existing customers; adult consumers in the UK.”
- Data categories: “Name, email address, purchase history (last 12 months). No special category data.”
3) Assess Necessity (Necessity Test)
Explain why the processing is needed for the purpose and why a less intrusive option won’t work as well:
- Necessity: “We need purchase history to segment emails so communications remain relevant and limited.”
- Alternatives considered: “Generic newsletters were considered but generate irrelevant contact; web-only promotions would not reach customers who rely on email updates.”
4) Balance Interests And Risks (Balancing Test)
Identify likely impact on individuals and how you’ll mitigate it:
- Reasonable expectations: “Customers reasonably expect to hear about similar products after a purchase.”
- Likelihood/severity of harm: “Low; limited data, minimal intrusion, no profiling of sensitive traits.”
- Safeguards: clear opt-out in every message, data minimisation, frequency caps, and internal access controls.
- Children or vulnerable people: “Not targeted; suppression lists exclude under-18s where age is known.”
Outcome: State whether, on balance, your interests are not overridden by the individual’s interests, and note any conditions (e.g. frequency caps of 1 email/month).
5) Define Safeguards And Opt-Outs
List practical measures you’ll adopt to reduce impact:
- Transparency: update your Privacy Policy and provide a succinct notice at collection.
- Control: easy, one-click unsubscribe for emails and a prominent “object” route for other channels.
- Data minimisation: use only what’s needed, keep it accurate, and set short retention periods.
- Security: role-based access; encryption at rest and in transit where appropriate.
- Supplier controls: ensure any processors have a robust Data Processing Agreement in place.
6) Record The Decision And Review Cycle
Close your LIA with a clear decision, owner and review date:
- Decision: “Proceed under legitimate interests with the safeguards listed.”
- Owner: name/title of the responsible manager.
- Review: set a cadence (e.g. 12 months) or trigger points (new audience, new data types, increased frequency).
Make sure your team knows where LIAs are stored and how to update them when campaigns or systems change.
What To Include In Your LIA Record (With Example Wording)
A good legitimate interest assessment template usually includes the following sections. Feel free to adapt the headings to suit your workflows, but keep these core elements.
Cover Details
- Processing Name: “Customer Upsell Emails (Existing Customers)”
- Date/Version: “10 Oct 2025 / v1.2”
- Owner/Reviewer: “Head of Marketing / Data Protection Lead”
Purpose Statement (Example)
“We process customers’ names, email addresses and recent purchase history to send occasional emails about similar products. Our legitimate interest is to promote complementary products that our customers reasonably expect, supporting sustainable growth while providing relevant recommendations.”
Necessity Statement (Example)
“Using recent purchase history is necessary to limit emails to relevant products only. Without this, communications would be generic and more intrusive. We considered alternative channels but determined email is the least intrusive and most controllable method for this purpose.”
Balancing And Safeguards (Example)
“The potential impact on individuals is low. We’ll minimise data used, cap frequency (max one email per month), include a clear unsubscribe link in every email, and honour objections within 48 hours. We will not use special category data or target children.”
Outcome (Example)
“On balance, our legitimate interest is not overridden by individuals’ interests or rights, provided we apply the safeguards listed. Decision: proceed.”
Linked Policies, Notices And Contracts
- Public-facing disclosures: ensure your Privacy Policy identifies “legitimate interests” and sets out the right to object.
- Processor contracts: keep a signed Data Processing Agreement with any email platform or CRM provider.
- Data sharing: if you share personal data with another controller, consider a Data Sharing Agreement.
Remember: templates are a starting point. Your LIA should reflect your real processing, real audiences and real safeguards - that’s what makes it persuasive and compliant.
How LIAs Interact With Other UK Privacy Requirements
Using legitimate interests is one piece of the privacy puzzle. Make sure the surrounding compliance pieces are in place too.
Transparency And Privacy Notices
Even if you do a perfect LIA, you still need clear, layered transparency. Keep your Privacy Policy up to date, explain the legal basis, identify your legitimate interests in plain English, and tell people how to object. If you’re collecting data directly, provide a short notice at the point of collection linking to the full policy.
Electronic Marketing And Cookies (PECR)
Legitimate interests under UK GDPR doesn’t override the Privacy and Electronic Communications Regulations (PECR). For most non-essential cookies and similar tracking technologies, you’ll still need consent and compliant Cookie Policy wording, along with lawful, user-friendly cookie banners. For email/SMS marketing, check PECR rules and consider the “soft opt-in” for existing customers where it applies, always providing an opt-out in every message.
Individual Rights
Individuals can object to processing based on legitimate interests at any time. Build processes to capture and act on objections quickly. Be ready to handle Subject Access Requests and other rights (erasure, restriction). Your LIA can help you explain why you processed data and what safeguards applied.
Security And Vendor Management
If vendors process data for you, you must have appropriate contracts and controls in place. A robust Data Processing Agreement and due diligence will support your LIA’s safeguards and show you took “appropriate technical and organisational measures.”
Accountability And Your Compliance Toolkit
LIAs live alongside other records that demonstrate compliance, such as ROPAs (records of processing activities), privacy notices, training logs and internal policies. If you’re building out your framework, consider a bundled approach like a GDPR Package to pull these elements together efficiently.
Fees, Registration And The ICO
Most UK businesses must pay the ICO data protection fee unless exempt. It’s a quick win to check your position early using the ICO’s categories - our quick explainer on the ICO fee can help you understand what applies.
A Fill-In-The-Blanks LIA Template Outline You Can Use
Here’s a clean outline you can adapt for each processing activity. Keep it short and focused.
- Processing Name:
- Owner / Department:
- Date / Version:
- Summary Of Processing (what you’re doing):
- Purpose (your legitimate interest):
- Legal Basis: Article 6(1)(f) - legitimate interests
- Data Subjects And Data Categories:
- Special Category Data? (Yes/No; if yes, identify Article 9 condition or do not proceed):
- Necessity (why this processing is necessary; alternatives considered):
- Balancing Test:
- Reasonable expectations:
- Potential impact (likelihood/severity):
- Vulnerable groups involved? (Yes/No):
- Safeguards and mitigations:
- Outcome (interests not overridden? proceed / do not proceed):
- Conditions (frequency caps, additional safeguards, exclusion lists):
- Transparency (Privacy Policy updated? notice at collection?):
- Rights (objection/opt-out process and SLA):
- Vendors (DPA in place with processor? security reviewed?):
- Retention (how long; deletion schedule):
- Review (date/trigger events):
- Approvals (names/titles):
Store each approved LIA with your other privacy records and link it to the campaign brief or system configuration where relevant. If the activity changes (new audience, new data, higher frequency), review the LIA - don’t just set and forget.
Practical Tips To Keep Your LIA Defensible
- Write for a busy reader. Assume a regulator or client has five minutes - can they see your purpose, necessity, balancing and safeguards at a glance?
- Be honest about risk and show what you did to reduce it (e.g. frequency caps, exclusion lists, pseudonymisation).
- Don’t copy-paste the same wording for every LIA. Tailor to the audience, channel and data used.
- Align your LIA with public-facing transparency. If you say “occasional” emails, set a max frequency internally.
- Keep the plumbing in place: clear privacy notices, easy objections, compliant cookie experience and strong processor contracts.
- If in doubt, test. User research or past unsubscribe rates can support your “reasonable expectations” analysis.
Key Takeaways
- A Legitimate Interest Assessment (LIA) documents the purpose, necessity and balancing tests so you can rely on Article 6(1)(f) confidently and meet accountability duties.
- Use legitimate interests where processing is expected, proportionate and low-risk - and avoid it where consent or another basis is clearly more appropriate.
- Build a simple, repeatable LIA template with clear safeguards, easy opt-outs, and links to your Privacy Policy and vendor controls like a Data Processing Agreement.
- Remember PECR: for most non-essential cookies you’ll need consent and compliant cookie banners, regardless of your GDPR legal basis.
- Have operational processes to handle objections and Subject Access Requests promptly.
- Set a review cycle. Update your LIA if the audience, data, frequency or technology changes, and consider a structured toolkit like a GDPR Package to keep everything aligned.
If you’d like tailored help preparing a legitimate interest assessment template, updating your privacy notices, or putting the right contracts in place, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.
