Athlex
Contact
Athlex

Tag: privacy notice

Legitimate Interests Under UK GDPR: How to Use It Without Getting It Wrong

8 minutes read
Professionals reviewing a legitimate interests assessment checklist for UK GDPR compliance


Legitimate interests is one of the most commonly relied-on lawful bases under the UK GDPR; nevertheless, it is also one of the most commonly misapplied. In practice, it can be an entirely appropriate basis for processing personal data, particularly where the processing is expected, proportionate, and supported by sensible safeguards. However, because this basis depends on context and balancing, it only really holds up when you can demonstrate that you have assessed necessity and impact through a Legitimate Interests Assessment (LIA). The ICO’s guidance makes clear that organisations should consider when legitimate interests is appropriate and keep records that help demonstrate compliance. (ICO)

This guide explains what legitimate interests is, when it works well (and when it doesn’t), and how small businesses can produce an LIA that is structured, defensible, and aligned with their privacy notice.

Why legitimate interests matters (and why it causes problems)

Legitimate interests is attractive because it feels operationally realistic: unlike consent, it is not withdrawn on a whim, and unlike contractual necessity, it does not require every processing activity to be “strictly required” to deliver a service. However, that flexibility comes with a trade-off, because you must be able to show that your interests are not overridden by the individual’s rights and freedoms, especially where the processing is unexpected or could create a tangible risk to the individual.

Although the UK GDPR does not provide a rigid definition of what counts as a legitimate interest, the ICO notes that the concept is broad and can include straightforward commercial interests, provided your assessment and safeguards are appropriate to the processing. (ICO)

The three-part LIA test (purpose, necessity, balancing)

A robust Legitimate Interests Assessment typically follows three stages. While templates vary, the underlying logic is consistent: you identify the interest, test whether the processing is necessary, and then balance that against the individual’s interests.

1) Purpose test: What is the legitimate interest?

Start by defining the interest clearly and specifically. “Running the business” is too vague to be meaningful; by contrast, “preventing fraud on customer accounts” or “maintaining network security” is more precise, measurable, and defensible.

At this stage, you should also confirm that the interest is lawful and genuine, and that the processing is not being used to justify something that would be better supported by another lawful basis.

2) Necessity test: Is this processing necessary to achieve it?

Here, “necessary” should be understood as proportionate and targeted, rather than “no alternative exists.” In other words, you are asking whether there is a less intrusive, reasonably available way to achieve the same aim with reduced impact on individuals.

For example, if your interest is preventing automated spam submissions, limited rate-limiting and short-lived security logs may be proportionate; however, building detailed behavioural profiles of visitors for indefinite periods is unlikely to be “necessary” for that purpose.

3) Balancing test: Do the individual’s interests override yours?

This is where legitimate interests either survives scrutiny or collapses on contact with reality.

A strong balancing test typically considers:

  • the nature of the data (basic identifiers vs more sensitive information);
  • the relationship (customer, employee, prospect, website visitor);
  • reasonable expectations (is this what people would anticipate?);
  • the likely impact (financial harm, distress, exclusion, or loss of control); and
  • the safeguards in place (minimisation, retention limits, opt-outs, access controls).

The ICO highlights that legitimate interests requires consideration of the impact on individuals, and that additional care is required in higher-risk contexts, such as children’s data. (ICO)

What a good LIA looks like in practice

A defensible LIA is readable, specific, and reviewable. Importantly, it should not be written as if it is trying to “win” a conclusion; instead, it should demonstrate that you have genuinely assessed whether legitimate interests is appropriate, and what mitigations are necessary to make it fair.

The ICO provides a sample LIA template that is genuinely useful as a baseline structure, particularly for SMEs trying to introduce repeatable governance without turning every decision into a legal project. (ICO)

A practical LIA record usually includes:

  • a short description of the processing (what you do, whose data, where it comes from);
  • the interest you are pursuing (purpose test);
  • why the processing is proportionate (necessity test);
  • the balancing analysis (expectations, risks, impacts);
  • safeguards and mitigations;
  • the outcome (proceed / proceed with changes / use another lawful basis); and
  • review triggers (new tools, new purposes, new audiences, new risks).

Common pitfalls that undermine legitimate interests

Pitfall 1: Using legitimate interests as the default for everything

While legitimate interests is flexible, it is not universal. If you are forcing the assessment to “pass,” that is often a sign that the processing is too intrusive, too unexpected, or insufficiently safeguarded.

Pitfall 2: Forgetting transparency

If you rely on legitimate interests, your privacy notice should not only name the lawful basis, but also explain what the legitimate interests are and how individuals can object. The ICO’s small-organisation guidance on privacy notices is a strong reference point for the content and clarity expected. (ICO)

Notably, the ICO flags that some privacy notice guidance is under review following the Data (Use and Access) Actcoming into law on 19 June 2025, which is a helpful reminder that “set and forget” documentation rarely stays compliant for long. (ICO)

Pitfall 3: Treating the LIA as a one-off form

An LIA should be reviewed when the processing changes. For example, if you introduce new analytics tools, expand into new markets, begin using AI features, or start collecting new categories of data, your previous balancing assumptions may no longer be reliable.

Pitfall 4: Ignoring reasonable expectations

If your processing would surprise a typical person, your balancing test needs to be stronger, your safeguards tighter, and your transparency sharper. Put differently, surprise increases risk; therefore, you should either redesign the processing or choose a different lawful basis.

SME examples: where legitimate interests often works well

These are not blanket approvals; rather, they illustrate scenarios where legitimate interests is commonly relied upon, assuming the LIA supports it and safeguards are implemented.

Example A: Security logging

Purpose: prevent unauthorised access and investigate incidents
Necessity: limited logging supports detection and response
Safeguards: short retention, access controls, monitoring, minimised fields

Example B: Service communications and account administration

Purpose: ensure continuity of service, manage accounts, prevent fraud
Necessity: basic identifiers and contact details are proportionate
Safeguards: clear privacy information, retention controls, role-based access

Example C: B2B prospecting (carefully)

Purpose: business development
Necessity: limited contact details for targeted outreach
Safeguards: clear opt-out, restrained frequency, suppression lists, and a stronger balancing test where expectations are less clear

How to reflect legitimate interests in your privacy notice

If you are using legitimate interests, your privacy notice should explain it in plain English. A simple, readable format is often the most effective:

  • Purpose: why you process the data
  • Lawful basis: legitimate interests
  • Our legitimate interests: the specific interest pursued
  • Your choices: how to object or opt out

For guidance on what should be included and how to write it clearly, the ICO’s privacy notice guidance for small organisations is a useful reference, and its “create your own privacy notice” tool can be helpful as a starting point for SMEs. (ICO)

When to choose a different lawful basis instead

Legitimate interests is often unsuitable where the processing is unexpected, intrusive, or high impact, particularly where:

  • you are processing children’s data;
  • you are using special category data in ways that increase risk; or
  • the processing could materially affect an individual’s opportunities, access, or treatment.

When the balancing test is strained, it is usually more effective to step back and reconsider the design of the processing itself, rather than trying to “paper over” risk with optimistic wording.

How Athlex can help

If you want legitimate interests to be defensible, you need more than a template you downloaded and forgot to tailor. You need processing-specific reasoning, a workable record, and wording that matches what you do day-to-day.

Athlex can support in a few ways:

  • Outsourced DPO support (ongoing guidance, governance, and risk management). (Athlex Limited)
  • Practical advisory support (including contract reviews, clause support, and compliance packages). (Athlex Limited)

Coming soon: Athlex templates built for small businesses.
We’re launching a set of downloadable templates designed to be practical, plain-English, and SME-ready, including LIAs, privacy notice wording, and other essentials. They’re built to reflect real-world processing, so you can implement them quickly without the usual “generic filler” problem.

In the meantime, you may find our UK GDPR compliance checklist for small businesses a useful quick-start resource. (Athlex Limited)

Key takeaways

Legitimate interests can be a strong, flexible basis under the UK GDPR; however, it only works when you can show your reasoning. If you document your LIA properly, apply safeguards that reduce risk, and align your privacy notice with what you actually do, you are far more likely to end up with compliance that is credible rather than cosmetic.

FAQ

What is legitimate interests under UK GDPR?

Legitimate interests is a lawful basis that may allow processing when you have a genuine interest that is not overridden by the individual’s rights and freedoms, provided the processing is fair and proportionate. (ICO)

Do I need a legitimate interests assessment (LIA)?

In practice, yes. An LIA is the clearest way to document your purpose, necessity, and balancing analysis, and the ICO provides a sample template to support structured decision-making. (ICO)

Do I need to mention legitimate interests in my privacy notice?

Yes. If you rely on legitimate interests, your privacy notice should communicate that basis and explain what the interests are, using clear, accessible language. (ICO)

Crafting a GDPR-Compliant Privacy Notice and Website Terms for Your Business

7 minutes read
Two professionals reviewing a laptop checklist for a UK GDPR privacy notice and website terms

A GDPR privacy notice explains how your business uses personal data, and your website terms set the rules for using your site. Transparent communication is the cornerstone of effective data protection. A privacy notice tells customers how you handle their personal data, while website terms explain the rules of using your site. Together, they form a vital part of your compliance strategy. For UK businesses, getting these documents right is essential to meet obligations under the UK GDPR and build trust with clients and partners. This guide outlines key elements of a privacy notice and website terms and explains how to develop documents that are both informative and legally sound.

Why a Privacy Notice Matters

A GDPR privacy notice is your evidence of transparency: it shows people what you collect, why, and what choices they have. A privacy notice is a public statement about how your organisation collects, uses and safeguards personal data. It covers details like the types of data collected, why you collect it, how long you keep it, who you share it with and what rights individuals have. Athlex’s privacy notice begins by explaining that it covers personal data when people contact the company, visit its website or use its services. It clarifies that personal data includes any information that can directly or indirectly identify an individual. Starting with this definition helps set expectations and aligns with legal requirements.

Information You Should Include

Your privacy notice should be comprehensive yet easy to understand. Consider including the following sections:

  • Who You Are: Identify your business name and contact details. If you have a Data Protection Officer (DPO) or representative, include their contact information.
  • What Data You Collect: Explain the categories of data you collect, such as names, contact details and information about a person’s role. If you collect data indirectly, describe the scenarios, for example receiving information from clients or through public sources.
  • How You Obtain Data: Describe the different ways you collect personal data, from website forms and customer interactions to third-party sources.
  • Why You Collect Data: Outline the purposes for processing personal data, such as providing services, sending marketing communications or complying with legal obligations.
  • Lawful Basis: Identify the legal basis for each purpose, such as consent, contract, legitimate interests or legal obligation.
  • How You Share Data: Explain if you share data with third parties and why. Be transparent about processors, partners or platforms used for marketing and analytics.
  • Data Retention: State how long you keep personal data and what criteria determine retention periods. If you have different retention periods for different data types, explain this clearly.
  • Security Measures: Summarise the technical and organisational measures you use to protect data.
  • Individual Rights: Inform people about their rights, including access, rectification, erasure, restriction, objection and data portability. Explain how they can exercise these rights and provide contact details for requests.
  • International Transfers: If you transfer data outside the UK or EU, describe how you safeguard those transfers.
  • Updates: Indicate how you will notify people of changes to the notice.

Avoid legal jargon and keep sentences straightforward. Use headings and bullet points so readers can find information easily. Remember to provide the notice in a format accessible to people with disabilities.

Creating Website Terms

Website terms of use set expectations for visitors and protect your business from misuse. These terms should be tailored to your services and industry. Key areas to cover include:

  • Acceptance of Terms: State that by using the site, users agree to the terms and any related policies (privacy notice, cookie policy). Athlex’s terms open by welcoming users and advising them to read the terms alongside the Privacy Notice and Cookie Notice.
  • Permitted Uses: Explain how users may interact with your site. For example, they may view and print pages for personal use but must not reproduce content for commercial purposes without permission. If you allow quoting, specify that they must credit your business.
  • Prohibited Conduct: List activities you prohibit, such as attempting to gain unauthorised access, interfering with the site’s operation or uploading malicious code. Athlex’s terms warn against unlawful use, hacking and introducing malware. Rewriting these rules in positive, plain language – as done in the optimisation above – helps clarity.
  • Intellectual Property: Assert your ownership of the website’s content and branding. Outline what users can and cannot do with your content.
  • Liability and Disclaimers: Limit your liability for errors or interruptions on the site. Clarify that the site’s content is general information, not legal advice. If you offer downloadable materials, explain that users rely on them at their own risk.
  • Links to Third Parties: Include a disclaimer that you are not responsible for the content of external sites. If you allow others to link to your homepage, set conditions for doing so.
  • Governing Law: Specify which jurisdiction’s laws govern the terms and where disputes will be resolved.
  • Changes to Terms: Reserve the right to update the terms and advise users to check back regularly.

It is also important to consider accessibility. Provide the terms in a readable format and ensure they are easy to find – typically in the website footer.

Aligning Privacy Notices and Website Terms

While privacy notices and website terms serve different purposes, they should be consistent. Your terms should reference your privacy notice and cookie policy, and vice versa. Ensure definitions match and that you use the same language across documents. If you update the cookie policy in response to the DUAA, reflect that change in the terms by referring to the updated policy.

Keeping Documents Up to Date

Laws and business practices change. The DUAA introduces new duties, such as stricter cookie consent rules and expanded subject access rights. Keep an eye on guidance from the Information Commissioner’s Office and update your documents as necessary. Use clear effective dates and inform users when significant changes occur. Keeping a revision history in a separate log can help demonstrate accountability if regulators review your compliance.

Practical Tips for SMEs

  1. Use Templates Wisely: Starting with a reputable template can save time but customise it to your business. Make sure the purposes, lawful bases and contact details reflect your operations.
  2. Seek Professional Advice: For complex processing, hiring a data protection consultant or outsourcing your DPO can help you draft documents that meet legal requirements and business needs.
  3. Educate Your Team: Everyone who interacts with customers or data should understand what the privacy notice says. Training ensures consistent messaging and helps staff recognise when to direct people to the notice.
  4. Make It Visible: Link to your privacy notice and terms in the website footer, sign-up forms and anywhere you collect data. Transparency builds trust.
  5. Monitor Feedback: Pay attention to questions or complaints about your privacy notice or terms. If users find something unclear, update it.

If you’re using a template, make sure your GDPR privacy notice matches what you actually do in practice, not what the template guesses.

Conclusion

A clear privacy notice and well-structured website terms are cornerstones of good data protection practice. They help you comply with the UK GDPR, prepare for changes under the DUAA and set expectations for how visitors should use your site. By explaining what data you collect, why you collect it and how people can exercise their rights, you demonstrate respect for privacy. Clear website terms protect your business from misuse and reinforce that your content and services are valuable. Investing time in crafting these documents pays off in greater trust, fewer misunderstandings and reduced legal risk.



UK GDPR Compliance Checklist for Small Businesses (Without the Headache) | Athlex

8 minutes read
Clipboard checklist with a padlock shield and email icons representing GDPR compliance and data security

Running a business in the UK already comes with enough admin to make you question your life choices. Data protection should not be the thing that tips you over the edge.

If you collect personal data (and you probably do, even if it is “just” website enquiries, staff records, or customer emails), you need the basics in place. The good news: UK GDPR compliance is very doable when you focus on what actually matters.

This guide gives you a clear, practical checklist you can work through. No jargon. No panic. Just the steps that reduce risk and build trust.

If you want someone to sanity check it all, Athlex can help too, either one off or as your outsourced DPO. (More on that later.)

What counts as “personal data” in practice?

Personal data is information that can identify someone, directly or indirectly. Think:

  • Names, emails, phone numbers
  • Customer account details
  • IP addresses and online identifiers
  • Staff HR files and payroll details
  • CCTV footage (yes, still personal data)

If your business collects any of that, UK GDPR applies.

The Athlex UK GDPR checklist

1) Write a privacy notice that matches reality

our privacy notice is how you meet the transparency requirement: telling people what you do with their data, in a way they can understand. The ICO expects privacy information to include the required points under the transparency obligations (including Articles 13 and 14). (ICO)

Quick win: check your privacy notice answers these questions:

  • What data do you collect?
  • Why are you collecting it (your purposes)?
  • What lawful basis are you relying on?
  • Who do you share it with (like processors and platforms)?
  • How long do you keep it?
  • What rights do people have and how do they use them?
  • How can they contact you (and the ICO)?

If your notice is a copy paste from 2019, it is not “fine”. It is a trust leak.

Internal link suggestion: Review your website privacy notice as part of your toolkit offering (example link): [Website privacy notice review](/templates).

2) Sort your cookies and tracking (because the internet is nosey)

If your website uses analytics, marketing tags, pixels, embedded content, or anything that stores or accesses info on a user’s device, you need to follow the PECR rules on “storage and access technologies”. The ICO’s guidance explicitly covers cookies, tracking pixels, fingerprinting techniques, scripts and tags, and explains that PECR allows this only in certain circumstances or with valid consent. (ICO)

Also worth knowing: the ICO notes its storage and access guidance is under review due to the Data (Use and Access) Act coming into law on 19 June 2025. (ICO)

Quick win:

  • Make sure your cookie banner does not pre tick “accept”
  • Separate “necessary” from analytics and marketing
  • Keep a record of what cookies you use and why
  • Offer an easy way to change preferences

3) Create a simple Record of Processing Activities (ROPA)

A ROPA sounds terrifying until you realise it is basically a structured list of what data you use and why.

The ICO has detailed guidance on what needs documenting under Article 30, including things like purposes, categories, recipients, transfers, retention, and security measures. (ICO)
And the legal text for Article 30 sets out the core requirements. (Legislation.gov.uk)

Quick win: start with your top 8 to 12 processing activities, usually:

  • Website enquiries
  • Customer management and service delivery
  • Marketing emails
  • HR and payroll
  • Supplier management
  • IT access and security logs
  • Finance and accounting records
  • CCTV (if used)

You do not need a 200 line spreadsheet on day one. You need a working baseline.

4) Check your lawful bases (and stop guessing)

Most SME processing falls under:

  • Contract (you need data to deliver what was bought)
  • Legal obligation (payroll, tax, regulatory rules)
  • Legitimate interests (some operations and B2B marketing)
  • Consent (often marketing, cookies, and optional extras)

Quick win: list your purposes, assign a lawful basis to each, and make sure the privacy notice matches. Consistency is half the battle.

5) Put a DSAR process in place before you get one

A DSAR (data subject access request) is when someone asks for a copy of the personal data you hold about them.

Most businesses mess this up in one of two ways:

  • they ignore it because it went to the wrong inbox
  • they respond late because nobody owns the process

Quick win DSAR setup:

  • Pick an internal owner and a backup
  • Create a shared mailbox or ticket tag
  • Keep a DSAR log
  • Have a standard response template ready

http://athlex.co.uk/services/

6) Decide when you need a DPIA (and keep it lightweight)

A DPIA is a Data Protection Impact Assessment. It helps you identify and reduce privacy risks when you are doing higher risk processing.

Common triggers include:

  • Large scale monitoring
  • Using special category data
  • Profiling or automated decision making
  • New tech or new data sources

Quick win: create a one page “DPIA triage” checklist:

  • What are we doing?
  • What data is involved?
  • What could go wrong for people?
  • What controls reduce the risk?
  • Do we need to consult anyone?

7) Tighten up supplier contracts

If a supplier processes personal data for you (email marketing platforms, cloud storage, CRM tools, payroll providers), you need the right data protection terms in place.

Quick win:

  • List your processors
  • Confirm what data they handle
  • Ensure you have a contract with data processing terms
  • Check where data is stored and whether there are international transfers

This is also one of the quickest ways to look credible in tenders.

8) Have a breach plan that is not just “panic”

Most “small incidents” become big ones because nobody knows what to do in the first hour.

The NCSC’s small business guidance includes practical steps for preparing your response and recovery from a cyber incident. (NCSC)

Quick win breach plan:

  • How to contain (disable accounts, isolate devices, preserve evidence)
  • Who to notify internally
  • How to assess severity and scope
  • Draft customer and stakeholder comms
  • Clear decision path for regulator notification

9) Keep only what you need (retention)

If your retention approach is “keep everything forever”, you are making your life harder and your risk bigger.

Quick win: define simple retention rules for the main categories:

  • Enquiries and leads
  • Customer records
  • Marketing lists and suppression lists
  • HR data
  • Financial records
  • CCTV

You can refine later. Start now.

10) Assign accountability (even if you do not “need a DPO”)

Not every business needs a formally appointed Data Protection Officer. But every business needs someone accountable for privacy tasks and decisions.

If you want ongoing support without hiring internally, an outsourced DPO model gives you a named expert, practical answers, and evidence you are taking governance seriously.

Outsourced DPO

Common myths that waste your time

“We are too small for GDPR”

If you process personal data, size is not a magic shield. The rules still apply, and the reputational damage from getting it wrong is often worse for SMEs.

“We have a privacy policy, job done”

A policy is not compliance. It is just a document unless your actual practices match what it says.

“Consent solves everything”

Consent is not the default. It is one lawful basis, and it comes with conditions (freely given, specific, informed, easy to withdraw). Use it when it fits.

What “good” looks like for an SME

You do not need perfection. You need a sensible, defensible baseline.

A good SME setup usually looks like:

  • Clear privacy notice and cookie controls (ICO)
  • A working ROPA baseline (ICO)
  • DSAR process and templates
  • DPIA triage and a repeatable approach
  • Supplier contract hygiene
  • A breach playbook informed by good practice (NCSC)
  • Retention rules you can actually follow

That is enough to reduce risk fast, answer tender questions confidently, and sleep slightly better.

FAQs

Do I need a Data Protection Officer in the UK?

Not always. It depends on what you do and the scale and type of processing. Many SMEs do not legally need one, but they still benefit from outsourced DPO support for governance, risk, and credibility.

What is the fastest GDPR win for a small business?

Update your privacy notice and cookie setup, then create a basic ROPA. These are high impact and relatively quick. (ICO)

What should I do if I think we have had a data breach?

Contain first, then confirm facts and scope. Follow a structured response and recovery plan. The NCSC guidance is a strong starting point for SMEs. (NCSC)

Next step: make it simple

If you want a clear baseline without spending weeks reinventing the wheel:

  • Use the Athlex templates and toolkits to build your core documents
  • Or get ongoing cover with our outsourced DPO service
  • Or book a one off review to identify gaps and prioritise fixes