What is “legitimate interest assessment” for data sourcing?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You've found some promising contacts. You've got their emails. And you think cold outreach makes sense for your business. But under GDPR, "it seemed like a good idea" isn't a lawful basis for processing someone's personal data. That's where legitimate interest comes in, and more specifically, the test you have to run before you can rely on it.
A Legitimate Interest Assessment (LIA) is a written analysis that shows your reason for processing someone's data outweighs their right to privacy. Think of it as your documented justification for why it's fair to contact this person, even though they didn't opt in. It's not a formality you file once and forget. It's a real argument you need to be able to defend if a data regulator or an unhappy recipient asks.
The LIA has three parts.
The purpose test asks you to name your specific interest. "Business development" can qualify, but you can't leave it there. You need to articulate why, for what product or service, and why cold outreach is a reasonable way to pursue it. Vague statements won't hold up.
The necessity test asks whether you actually need this person's data to achieve your goal. Could you reach the same outcome another way, without processing their personal information? If the answer is yes, you don't pass this test.
The balancing test is where most cold email senders stumble. You have to weigh your interest against the individual's reasonable expectations. Would they expect to receive sales contact based on where their data appeared? What's the potential impact on them? What safeguards do you have in place, like an easy opt-out and a relevant, targeted message?
For cold email data sourcing, the balancing test matters most. Someone listing their work email on LinkedIn probably expects some professional contact. Someone scraped from a forum probably doesn't. Volume matters too. Emailing 50 highly relevant prospects is a different story from blasting 50,000 semi-matched contacts.
On documentation, you need to write your analysis down, include specific reasoning for each of the three tests, review and update it if your use case or data source changes, and be ready to produce it if challenged. A template helps, but generic boilerplate won't cut it. The reasoning has to be specific to your situation.
Also worth knowing: legitimate interest doesn't override the requirement to tell people you have their data. You still need to disclose how you sourced their contact information and give them a clear way to opt out.
Not sure if your current cold email setup would pass an LIA? Our SOS hotline is free, and we're happy to talk through your specific situation with no pitch attached.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.