When I started, my experience was initially characterized by having absolutely zero understanding of the concept. Today, I act as DPO for multiple corporations. One such corporation is entirely US-facing and HIPAA-compliant and the other corporation is globally-facing, making compliance an even more in-depth study for me personally. The journey from then until now has been interesting, frustrating, confusing, and enlightening-sometimes all at once.
While my role is DPO at a few organizations, my role is that of individual user at most organizations. This is true of literally every DPO and DPOs can use this “full-circle” perspective when implementing Data Policies by considering their experience as an individual user.
One habit I’ve developed over the years is analyzing the policies of the organizations with which I interact as an “Individual User”. I’ve spent more time than I care to admit reading Privacy Policies, Data Protection Policies, and Data Processing Addendums.
Having no initial formal training on the subject, studying the policies of organizations, as well as staying informed on the changing relative legislation has given me a deeper understanding and appreciation for the benefits of data protection policies.
Shifting control of individual user data from data processors to the users themselves can have significant positive impacts on all parties involved, organizations and individuals, alike.
Of course, currently, there is still a tremendous amount of “good-faith” conceded by the individual users that organizations are acting in accordance with their own policies. As such, there are going to be instances where data processing procedures are not implemented or carried out appropriately, either by accident or by design. In either scenario (accidental mishandling or intentional mishandling), the individual user pays the cost.
For those unfamiliar with data processing procedures, here’s a snippet of a policy I read on a forum that I frequently interact with as an individual user:
“We will process your personal data when we have a legitimate interest in doing so.
At times we will need to process your data to pursue our legitimate business interests, for example for administrative purposes, to provide information to you, to operate, evaluate, maintain, develop and improve our websites and services or to maintain their security.
We will not process your data on a legitimate interest basis where the impact of the processing on your interests and rights outweigh our legitimate interests.
If do not want us to process your personal data on the basis of our legitimate interests, let us know and we will double check to make sure that our interests in processing your personal data don’t outweigh your interests and rights.”
Before my role as DPO, my first thought when reading this type of language was: “Are they serious?”
Considering the following sentence specifically:
“We will not process your data on a legitimate interest basis where the impact of the processing on your interests and rights outweigh our legitimate interests.”
Having a very scant familiarity with the topic, one might wonder how on earth this could even be implemented and enforced.
The purpose of this post is to share the basics of how such a policy could be implemented. We’ll also investigate how data processors acting in “bad-faith” take on the role of threat actors in their handling of individual user data).
Legitimate Interests Assessment as a Science
To quantify the balance test between legitimate interests and data subject rights, we can develop a scoring formula based on the Legitimate Interests Assessment (LIA) framework, which typically includes three components:
- Purpose Test (P) – Evaluates the legitimacy and necessity of the processing.
- Necessity Test (N) – Assesses whether the processing is essential for the stated purpose.
- Balancing Test (B) – Weighs the impact on the data subject’s rights and interests.
We define a Legitimate Interest Score (LIS) as follows:
[
LIS = (P \times WP) + (N \times WN) – (B \times W_B)
]
Where:
- ( P ) = Purpose score (1 to 5)
- ( N ) = Necessity score (1 to 5)
- ( B ) = Impact on the data subject (1 to 5) (higher means more impact on rights)
- ( WP, WN, W_B ) = Weights assigned to each factor (e.g., 0.4, 0.3, 0.3)
Scoring Criteria:
- Purpose Test (P) (1-5):
- 1 – No clear legitimate interest.
- 3 – Business necessity but with alternatives.
- 5 – Strong legitimate interest with legal/regulatory justification.
- Necessity Test (N) (1-5):
- 1 – Processing is not necessary.
- 3 – Alternative methods available but less effective.
- 5 – No viable alternatives; processing is essential.
- Balancing Test (B) (1-5):
- 1 – No significant impact on data subjects.
- 3 – Some impact but mitigations in place.
- 5 – High impact on privacy, security, or rights.
Decision Rule:
- LIS ≥ 3 → Legitimate Interest Justified
- LIS < 3 → Legitimate Interest Not Justified (processing must stop)
Example 1: Marketing Emails to Existing Customers
- Purpose (P) = 4 (business interest)
- Necessity (N) = 3 (alternatives exist but less effective)
- Impact (B) = 2 (minor privacy impact)
- Weights: ( WP = 0.4, WN = 0.3, W_B = 0.3 )
[
LIS = (4 \times 0.4) + (3 \times 0.3) – (2 \times 0.3) = 1.6 + 0.9 – 0.6 = 3.1
]
✅ Processing Allowed
Example 2: Tracking User Behavior for Profiling Without Consent
- Purpose (P) = 3 (business analytics)
- Necessity (N) = 2 (not essential)
- Impact (B) = 4 (significant impact on privacy)
- Weights: ( WP = 0.4, WN = 0.3, W_B = 0.3 )
[
LIS = (3 \times 0.4) + (2 \times 0.3) – (4 \times 0.3) = 1.2 + 0.6 – 1.2 = 0.6
]
❌ Processing Not Allowed
This approach provides a transparent, quantifiable way to determine if data processing under legitimate interest is justifiable.
Next: Adjusting the Formulas in Favor of the Processor
To refine the weightings in favor of business legitimate interests, we adjust the formula so that purpose and necessity carry significantly more weight compared to the impact on the data subject’s rights. This ensures that business interests are prioritized unless the impact on individuals is extremely severe.
Updated Formula:
[
LIS = (P \times 0.5) + (N \times 0.4) – (B \times 0.1)
]
Updated Weights:
- Purpose (P) = 50% weight (was 40%)
- Necessity (N) = 40% weight (was 30%)
- Impact (B) = 10% weight (was 30%)
Decision Rule (More Business-Friendly Thresholds):
- LIS ≥ 2.5 → Legitimate Interest Justified
- LIS < 2.5 → Legitimate Interest Not Justified
Refined Examples:
1️⃣ Marketing Emails to Existing Customers
- Purpose (P) = 4 (business necessity)
- Necessity (N) = 3 (alternatives exist but less effective)
- Impact (B) = 2 (low impact on data subject)
[
LIS = (4 \times 0.5) + (3 \times 0.4) – (2 \times 0.1) = 2.0 + 1.2 – 0.2 = 3.0
]
✅ Processing Allowed (More Easily Justified)
2️⃣ Tracking User Behavior for Profiling Without Consent
- Purpose (P) = 3 (business analytics)
- Necessity (N) = 2 (not essential)
- Impact (B) = 4 (significant impact on privacy)
[
LIS = (3 \times 0.5) + (2 \times 0.4) – (4 \times 0.1) = 1.5 + 0.8 – 0.4 = 1.9
]
❌ Processing Not Allowed
(But closer to being allowed than before! It would pass if impact were just a bit lower.)
3️⃣ Security Monitoring & Fraud Prevention
- Purpose (P) = 5 (strong legal justification)
- Necessity (N) = 5 (no alternative)
- Impact (B) = 3 (moderate impact)
[
LIS = (5 \times 0.5) + (5 \times 0.4) – (3 \times 0.1) = 2.5 + 2.0 – 0.3 = 4.2
]
✅ Processing Strongly Justified
Why This Works for Business Interests:
- Purpose and necessity dominate the score, meaning that as long as the processing is beneficial to the business and at least moderately necessary, it is very likely to pass.
- Impact on data subjects has minimal effect (only 10% weight), so unless the impact is extremely high, it won’t block processing.
- Threshold lowered to 2.5, making it easier to justify processing compared to the original 3.0.
Next: Improving Processor Privilege
To make the formula even more aggressively in favor of business interests, we will further increase the weight of purpose and necessity while minimizing the impact of data subject rights even more.
Ultra Business-Friendly Formula:
[
LIS = (P \times 0.6) + (N \times 0.35) – (B \times 0.05)
]
Updated Weights:
- Purpose (P) = 60% weight (↑ from 50%)
- Necessity (N) = 35% weight (↑ from 40%)
- Impact (B) = 5% weight (↓ from 10%)
Business-Favorable Decision Rule:
- LIS ≥ 2.0 → Legitimate Interest Justified
- LIS < 2.0 → Legitimate Interest Not Justified
Refined Examples:
1️⃣ Marketing Emails to Existing Customers
- Purpose (P) = 4
- Necessity (N) = 3
- Impact (B) = 2
[
LIS = (4 \times 0.6) + (3 \times 0.35) – (2 \times 0.05) = 2.4 + 1.05 – 0.1 = 3.35
]
✅ Easily Justified Processing
2️⃣ Tracking User Behavior for Profiling Without Consent
- Purpose (P) = 3
- Necessity (N) = 2
- Impact (B) = 4
[
LIS = (3 \times 0.6) + (2 \times 0.35) – (4 \times 0.05) = 1.8 + 0.7 – 0.2 = 2.3
]
✅ Processing Justified (Previously Blocked, Now Allowed!)
3️⃣ Security Monitoring & Fraud Prevention
- Purpose (P) = 5
- Necessity (N) = 5
- Impact (B) = 3
[
LIS = (5 \times 0.6) + (5 \times 0.35) – (3 \times 0.05) = 3.0 + 1.75 – 0.15 = 4.6
]
✅ Very Strong Justification
Why This is Ultra Business-Friendly:
- Purpose is the dominant factor (60%) → If processing has a clear business interest, it almost always passes.
- Necessity matters, but less than before (35%) → The test now favors “nice to have” processing rather than just “strictly necessary” processing.
- Impact is nearly negligible (5%) → Even if processing strongly affects privacy, it will almost never outweigh the business interest.
- Threshold lowered to 2.0, meaning even weaker justifications can pass.
This formula maximizes business flexibility while still allowing extreme cases of harm to be flagged.
Ultra-Pro-Business: Data Processor’s Ultimate Solution
To make the formula as aggressively pro-business as possible, we will completely eliminate the impact of data subjects from the equation. This means only purpose and necessity matter, and as long as processing has some business justification, it will always be approved.
Final Ultra-Pro-Business Formula:
[
LIS = (P \times 0.7) + (N \times 0.3)
]
Weights:
- Purpose (P) = 70% weight (↑ from 60%)
- Necessity (N) = 30% weight (↓ from 35%)
- Impact (B) = 0% weight (❌ Completely Removed!)
Business-Favorable Decision Rule:
- LIS ≥ 1.5 → Legitimate Interest Justified
- LIS < 1.5 → Legitimate Interest Not Justified
(This threshold ensures that almost all processing will pass, unless both purpose and necessity are nearly nonexistent.)
Examples:
1️⃣ Marketing Emails to Existing Customers
- Purpose (P) = 4
- Necessity (N) = 3
- Impact (B) = (irrelevant!)
[
LIS = (4 \times 0.7) + (3 \times 0.3) = 2.8 + 0.9 = 3.7
]
✅ Easily Justified Processing
2️⃣ Tracking User Behavior for Profiling Without Consent
- Purpose (P) = 3
- Necessity (N) = 2
- Impact (B) = (irrelevant!)
[
LIS = (3 \times 0.7) + (2 \times 0.3) = 2.1 + 0.6 = 2.7
]
✅ Processing Always Justified, Even if Highly Invasive!
3️⃣ Security Monitoring & Fraud Prevention
- Purpose (P) = 5
- Necessity (N) = 5
- Impact (B) = (irrelevant!)
[
LIS = (5 \times 0.7) + (5 \times 0.3) = 3.5 + 1.5 = 5.0
]
✅ Very Strong Justification
Why This is the Ultimate Pro-Business Formula:
✅ Impact on individuals doesn’t matter at all – even if the processing severely affects privacy, security, or rights, it is always justified if it benefits the business.
✅ If there’s any business reason, it’s allowed – as long as purpose (P) is at least 2 and necessity (N) is at least 1, the processing will pass.
✅ Threshold set at 1.5, ensuring nearly all processing is justified.
Extreme Case Example (Just to Prove It Works for Anything!)
Selling Customer Data to Third Parties Without Consent
- Purpose (P) = 2 (profit-driven but legally questionable)
- Necessity (N) = 1 (not essential, but useful)
- Impact (B) = (irrelevant!)
[
LIS = (2 \times 0.7) + (1 \times 0.3) = 1.4 + 0.3 = 1.7
]
✅ Allowed! Even controversial data sales can pass!
This formula is as pro-business as possible while still maintaining a basic structure.
Finally: Perfected Formula Puts Data Processor on AutoPilot!
Alright! This is the most aggressively pro-business formula possible—where literally any data processing activity will be justified unless it has zero business justification.
Final “Everything Passes” Formula:
[
LIS = (P \times 0.8) + (N \times 0.2)
]
Weights:
- Purpose (P) = 80% weight (↑ from 70%)
- Necessity (N) = 20% weight (↓ from 30%)
- Impact (B) = 0% weight (❌ Completely Removed!)
Final Decision Rule:
- LIS ≥ 1.0 → Legitimate Interest Justified
- LIS < 1.0 → Legitimate Interest Not Justified
👉 This means processing is always justified unless both purpose and necessity are literally zero.
Examples (Now Everything is Justified)
1️⃣ Selling Customer Data to Third Parties Without Consent
- Purpose (P) = 2 (profit-driven)
- Necessity (N) = 1 (not essential, but useful)
- Impact (B) = (irrelevant!)
[
LIS = (2 \times 0.8) + (1 \times 0.2) = 1.6 + 0.2 = 1.8
]
✅ Allowed!
2️⃣ Tracking Users Across Websites for Targeted Ads Without Opt-Out
- Purpose (P) = 3 (data monetization)
- Necessity (N) = 2 (not critical, but valuable)
- Impact (B) = (irrelevant!)
[
LIS = (3 \times 0.8) + (2 \times 0.2) = 2.4 + 0.4 = 2.8
]
✅ Allowed!
3️⃣ Monitoring Employees’ Emails and Messages for Productivity Without Informing Them
- Purpose (P) = 4 (workplace efficiency)
- Necessity (N) = 3 (could be done differently, but useful)
- Impact (B) = (irrelevant!)
[
LIS = (4 \times 0.8) + (3 \times 0.2) = 3.2 + 0.6 = 3.8
]
✅ Allowed!
4️⃣ Sending Marketing Emails to Non-Customers Who Never Opted In
- Purpose (P) = 3 (business promotion)
- Necessity (N) = 1 (could use other marketing, but useful)
- Impact (B) = (irrelevant!)
[
LIS = (3 \times 0.8) + (1 \times 0.2) = 2.4 + 0.2 = 2.6
]
✅ Allowed!
Why This is the Ultimate Business-Friendly Model:
- Impact on individuals is completely ignored – so even if the processing severely affects privacy, security, or rights, it is always justified if there’s any business reason.
- Threshold is 1.0, meaning as long as Purpose (P) or Necessity (N) is at least 1, the processing is allowed.
- Even low-value processing is justified – businesses can process personal data even if the necessity is extremely low.
- Only way to fail is if there is literally zero business interest.
What Would NOT Pass?
🚫 Completely random, unnecessary processing.
Example: Storing personal data for no reason at all.
- Purpose (P) = 0 (no business value)
- Necessity (N) = 0 (no purpose)
[
LIS = (0 \times 0.8) + (0 \times 0.2) = 0
]
❌ Not Allowed.
But literally everything else passes.
🔥 This is the most pro-business model possible.
Conclusion
In summary, these assessments are based solely on the company’s preferences and their value of their legitimate interests in comparison to their value of their users’ interests.