Legitimate Interests Assessment Template
Legitimate Interests Assessment (LIA) Template
The fields an LIA records to evidence the GDPR Article 6(1)(f) three-part test — purpose, necessity and balancing.
A legitimate interests assessment (LIA) template is the structured set of fields that record the GDPR Article 6(1)(f) three-part test — the purpose test, the necessity test and the balancing test — to evidence that legitimate interests is a valid lawful basis for a processing activity. The ‘LIA’ form is regulator guidance (the ICO and the former Article 29 Working Party) rather than express GDPR text, but carrying out the assessment is required in substance to rely on the basis, and recording it is part of demonstrating accountability. This guide sets out the fields, the three tests in full, and how to keep the assessment defensible.
Key takeaways
- An LIA evidences the Article 6(1)(f) lawful basis through three tests: purpose, necessity and balancing.
- You can only rely on legitimate interests if the interest passes all three.
- The LIA form is guidance, not express statute — but the assessment is required in substance, and the ICO says you should keep a record.
- The UK's new ‘recognised legitimate interests’ basis (DUAA 2025) is separate — it skips the balancing test for listed purposes and is not what an LIA covers.
What fields should an LIA template include?
An LIA record should capture, for the processing activity in question:
- The processing and its context — what data, whose, for what activity, and how individuals would expect it to be used.
- Purpose test — the legitimate interest being pursued (yours, a third party's, or a societal one) and why it matters.
- Necessity test — why the processing is necessary for that purpose, and whether a less-intrusive option exists.
- Balancing test — the individual's interests, rights and freedoms, their reasonable expectations, the nature of the data, and the safeguards that tip the balance.
- Safeguards and mitigations — the measures relied on to reduce the impact on individuals (for example, opt-outs, minimisation, transparency).
- Conclusion, owner and date — the outcome, who approved it, and when it is next due for review.
The three-part test in full
| Test | The question | What to record |
|---|---|---|
| Purpose | Are you pursuing a genuine legitimate interest? | The interest, who it belongs to, and why it is legitimate |
| Necessity | Is the processing necessary for that purpose? | Why it is needed, and that no less-intrusive route achieves it |
| Balancing | Do the individual's interests override the legitimate interest? | Reasonable expectations, the nature of the data, the impact, and the safeguards that tip the balance |
The legitimate-interests basis is only available if the interest passes all three tests; a failed or borderline balancing test is also a useful signal that a DPIA may be needed.
Is a spreadsheet LIA enough?
A template captures the three tests, and for an occasional assessment it can be the whole record. Its limit is the same as any privacy assessment: a static file cannot show who approved the conclusion, what evidence supported the balancing, or whether it still holds when the processing changes. Because the LIA rests on the same facts as a DPIA, a transfer assessment or the Article 30 record, the practical move is to run it in one governed workflow that keeps the approval and evidence trail and links the conclusion to the wider record — see Acompli Assessments.
Common questions about the LIA
What is a legitimate interests assessment (LIA)?
An LIA is the assessment that establishes whether 'legitimate interests' can be the lawful basis for a processing activity under GDPR Article 6(1)(f). It works through a three-part test — a purpose test, a necessity test and a balancing test — and records the conclusion. The 'LIA' form is regulator guidance from the ICO and the former Article 29 Working Party rather than express GDPR text, but carrying out the assessment is required in substance to rely on the basis, and keeping a record of it is part of demonstrating accountability.
What are the three parts of the LIA test?
The purpose test asks whether you are pursuing a genuine legitimate interest — your own, a third party's, or a broader societal one. The necessity test asks whether the processing is necessary for that purpose and whether a less-intrusive route would achieve the same end. The balancing test asks whether the individual's interests, rights and freedoms override the legitimate interest, taking into account their reasonable expectations, the nature of the data and any safeguards. You can only rely on legitimate interests if the interest passes all three.
Is an LIA legally required?
GDPR Article 6(1)(f) does not name a document called an 'LIA', but to rely on the legitimate-interests basis you must in substance carry out the balancing it describes — so the assessment is effectively required, and the ICO advises that you should keep a record of it as part of accountability. Documenting it as a formal LIA is best practice rather than an express statutory form. Note that the UK's Data (Use and Access) Act 2025 also introduced a separate 'recognised legitimate interests' basis for certain listed purposes that does not need the balancing test — that is distinct from the Article 6(1)(f) legitimate interests an LIA covers.
How does an LIA relate to a DPIA?
They are different assessments that share underlying facts. An LIA decides whether legitimate interests is a valid lawful basis; a DPIA assesses whether a high-risk processing activity can be done lawfully and how to reduce the risk. A borderline or failed balancing test in an LIA can be a signal that a DPIA is needed. Because both rest on the same description of the processing, good assessment software lets an approved LIA and DPIA share that context rather than re-keying it, with an audit trail of each decision.
Primary sources
Related research
Types of Privacy Assessment
DPIA, LIA, TIA, Article 28, PIA and FRIA — what each is and when it applies.
Read article →Privacy Assessment Software Compared
The four types of assessment tool and the criteria to score them on.
Read article →Assessments
Run DPIA, LIA, TIA and Article 28 in one governed workflow that feeds the RoPA.
Read more →