yerman

Legitimate Interest Assessment (LIA) Template (UK GDPR)

Note: This guide is informational and not legal or financial advice.

This guide explains legitimate interest assessment template uk, who it’s for, and what to do next.

What a Legitimate Interest Assessment is (and when you need one)

A Legitimate Interest Assessment (LIA) is a short, structured check you document when you want to rely on “legitimate interests” as your lawful basis for processing personal data under UK GDPR. In practice, it’s the written evidence that you have thought through why you need the data, whether your use is proportionate, and whether people’s rights and expectations are protected. A good UK legitimate interest assessment template usually follows three parts: a purpose test (what is the legitimate interest), a necessity test (is this processing needed for that purpose), and a balancing test (do individuals’ interests override yours).

You typically need an LIA when you are processing personal data for things like fraud prevention, network security, direct marketing to existing customers, internal admin, or limited analytics—where consent isn’t appropriate and no contract or legal obligation clearly fits. If you’re using legitimate interests for any new activity, a new audience, or a new type of data, you should update or redo the assessment.

You should not treat an LIA as a “tick-box” for high-risk processing. If the activity is likely to result in a high risk to individuals (for example, large-scale profiling, systematic monitoring, or using special category data), you may need a Data Protection Impact Assessment (DPIA) instead or as well. You’ll also want an LIA whenever your privacy notice says you rely on legitimate interests, because you may need to explain your reasoning if asked by the ICO or by individuals.

How to complete an LIA: purpose test, necessity test, balancing test (with a fill-in template)

A Legitimate Interests Assessment (LIA) helps you document why you rely on “legitimate interests” for processing personal data, and how you’ve protected people’s rights. In the UK, it’s typically written as three short tests you can evidence and revisit when things change.

1) Purpose test (why are you processing?)

State the specific interest (not a vague “business need”), who benefits, and why it’s lawful and expected. Example interests: fraud prevention, network security, service improvement, direct marketing to existing customers (where appropriate).

2) Necessity test (is this processing needed?)

Explain why the same outcome can’t reasonably be achieved with less data, less intrusive methods, or another lawful basis. Confirm data minimisation: what you collect, how long you keep it, and who can access it.

3) Balancing test (do individuals’ rights override your interest?)

Assess likely impact and expectations: relationship with the person, data sensitivity, vulnerability, scale, and risk of harm. List safeguards: opt-out/objection routes, transparency wording, access controls, retention limits, DPIA where relevant, and vendor contracts.

Fill-in LIA template (copy/paste)

Processing activity: [ ]
Controller/owner: [ ]
Purpose test: Legitimate interest: [ ] Benefits: [ ] Why expected/lawful: [ ]
Necessity test: Data used: [ ] Why necessary: [ ] Alternatives considered: [ ] Retention: [ ]
Balancing test: Likely impact: [ ] Sensitive data? [ ] Children/vulnerable? [ ] Scale: [ ]
Safeguards: [opt-out/objection], [transparency link], [security], [minimisation], [contracts]
Decision: Proceed / Don’t proceed / Modify [ ]
Review date & trigger: [ ]

Legitimate interests vs consent vs contract: which lawful basis fits common SME scenarios?

Contract fits when processing is objectively needed to deliver what the customer asked for. Typical SME examples: taking payment details to fulfil an order, storing a delivery address, emailing service updates, or sharing data with a courier. If you can’t perform the service without the data, contract is usually the cleanest basis (but it doesn’t automatically cover extra marketing or analytics).

Consent works best when you want people to actively choose, and when saying “no” shouldn’t disadvantage them. Common scenarios: email marketing to new leads, optional SMS promotions, non-essential cookies, or using customer photos in case studies. Consent must be specific, informed, and easy to withdraw—so avoid bundling it into terms or pre-ticked boxes.

Legitimate interests can suit day-to-day business needs where you have a genuine purpose and the impact on individuals is low and expected. Examples: basic fraud prevention, network/security monitoring, B2B prospecting by email where appropriate, suppressing previous opt-outs, or limited customer insight reporting. In the UK, you’ll typically document this via a Legitimate Interests Assessment (LIA).

Quick LIA template (UK):

LIA template FAQs (marketing, B2B email, cookies, retention, and how often to review)

Can I use a legitimate interest assessment (LIA) template for marketing?
Often, yes—if your use is proportionate, expected by the individual, and you can show minimal privacy impact. Your LIA should spell out the purpose (e.g., promoting similar services), why it’s necessary, and what safeguards you apply (easy opt-out, suppression lists, frequency caps).

Does B2B email marketing always fall under legitimate interests in the UK?
Not always. Many organisations rely on legitimate interests for certain B2B outreach, but you still need to check the relevant e-privacy rules for email marketing and document how you meet them. In your LIA template, include a “channel check” section: what you’re sending, to whom, how you got the address, and how opt-outs are handled.

Can I rely on legitimate interests for cookies?
Typically, only for cookies that are strictly necessary for providing the service the user requested. For analytics, advertising, and most tracking cookies, you’ll usually need consent. Your LIA template can still be useful for any server-side processing that follows, but don’t treat it as a substitute for cookie consent where required.

What should my LIA say about data retention?
Include a clear retention rule (e.g., “delete or anonymise after X months of inactivity”) and the reason. Add operational controls: review schedules, deletion processes, and how you handle objections.

How often should I review an LIA?
Revisit it when the purpose, data, audience, or technology changes, and otherwise on a regular cadence (commonly annually). Document triggers (new vendor, new tracking, new campaign type) and keep version history.

Compare Legitimate Interest Assessment (LIA) Template Options (UK)

If you’re looking to download or buy a legitimate interest assessment template for UK GDPR, the best choice depends on how quickly you need to deploy it, how complex your processing is, and whether you want guidance notes alongside the template. Use the comparison below to shortlist the right option for your organisation.

Option Best for What you typically get Pros Potential limitations What to check before using
Basic LIA template (download) Small teams, straightforward processing, quick documentation
  • Single-page or short-form LIA
  • Sections for purpose, necessity, balancing test
  • Sign-off fields
  • Fast to implement
  • Low cost
  • Easy to share internally
  • May not cover edge cases (children, special category data, large-scale profiling)
  • Often minimal guidance on how to complete
  • UK GDPR/ICO-aligned structure (purpose, necessity, balancing)
  • Space to document safeguards and outcomes
  • Version/date and owner fields
LIA template + guidance notes Teams that want clarity on what “good” looks like
  • Template plus completion instructions
  • Example wording for common scenarios
  • Checklist for safeguards
  • Reduces guesswork
  • More consistent assessments across departments
  • Helpful for onboarding new staff
  • Still needs tailoring to your processing and risks
  • Examples may not match your sector
  • Clear prompts for documenting necessity and alternatives
  • Explicit section for data subject impact and mitigations
  • Guidance that avoids “one-size-fits-all” conclusions
Spreadsheet-based LIA (multi-processing log) Organisations tracking multiple LI uses across products/teams
  • Tabbed workbook for multiple LIAs
  • Drop-down risk ratings
  • Central register view
  • Good for governance and reporting
  • Consistent scoring and sign-off
  • Easier to audit internally
  • Can become complex without ownership
  • Risk of “tick-box” completion
  • Fields for processing purpose, data categories, recipients, retention
  • Ability to record safeguards and review dates
  • Controlled access/versioning approach
LIA template bundled with DPIA toolkit Higher-risk processing where you may need both assessments
  • LIA template plus DPIA template
  • Risk/mitigation framework
  • Decision prompts for when to escalate
  • Better coverage for complex processing
  • Encourages consistent risk documentation
  • Useful for projects and change control
  • More time to complete
  • May include sections you don’t need for low-risk processing
  • Clear separation between LIA and DPIA outputs
  • Prompts for safeguards (minimisation, transparency, opt-outs)
  • Review triggers (new purpose, new data, new recipients)
Policy pack (LIA template + privacy notice wording + procedures) Organisations formalising privacy governance
  • LIA template
  • Internal procedure for completing/approving LIAs
  • Supporting wording for transparency materials
  • Improves consistency and accountability
  • Helps align documentation with operational practice
  • Useful for audits and supplier questionnaires
  • More content to maintain
  • May require adaptation to your structure and roles
  • Defined roles (owner, reviewer, approver)
  • Document control (version, review cycle)
  • Alignment between LIA outcomes and transparency statements

Quick selection guide

What “good” LIA templates usually include