Legitimate interest is a lawful basis which to some degree is assumed by an organisation when it does not rely on any other lawful basis. Legitimate interest provides a good level of control for the organisation but assumes that the data subject will not object to the processing.

If you are relying on legitimate interest, a number of things will be important to you.

Firstly, before processing the personal data you must undertake and evidence that you do have a compelling legitimate interest by completing a legitimate interest assessment (LIA).

Secondly, if your LIA is successful you must also inform the data subject within your privacy notice that the processing is taking place in your legitimate interest.

Finally, you should have a plan for how you will respond if and when a data subject were to exercise their right to object to the processing.

This is likely to be different for different processes, for example a marketing activity is likely to be halted if an objection is received, but an activity to reclaim unpaid fees is unlikely to halted.