Does every company using legitimate interests for B2B marketing need a written LIA?

The Information Commissioner's Office (ICO) recommends a written LIA as part of the accountability principle under UK GDPR Article 5(2). It is not an absolute statutory requirement in the way that a DPIA is for high-risk processing, but the ICO will ask to see it during an investigation. A written LIA is the only practical way to demonstrate you completed the three-part test before processing began.

How long does a Legitimate Interests Assessment need to be?

Two to four pages is the standard for a B2B prospecting LIA. It needs enough detail to show that each of the three tests (purpose, necessity, balancing) was genuinely considered, not just ticked. A half-page document that says 'we have a legitimate interest in selling our products' will not survive ICO scrutiny.

Can one LIA cover all your B2B prospecting campaigns?

A single LIA can cover a class of activity, for example 'outbound email to named decision-makers in the manufacturing sector', provided the purpose, data categories, and channels are consistent across campaigns. If you change channel (email to telephone), audience (new sector or seniority band), or data source, update the LIA or create a new one. A catch-all LIA covering 'all B2B marketing' is too vague to be defensible.

What is the difference between the necessity test and the balancing test in an LIA?

The necessity test asks whether the processing is needed to achieve your stated purpose and whether a less intrusive means would achieve the same result. The balancing test asks whether the impact on the data subject's rights and freedoms is outweighed by your interest. Both must be satisfied. Passing the necessity test does not mean you have passed the balancing test.

Does an LIA cover PECR as well as UK GDPR?

No. An LIA addresses lawful basis under UK GDPR Article 6(1)(f). The Privacy and Electronic Communications Regulations (PECR) impose a separate consent requirement for unsolicited electronic marketing to individuals. For B2B email to named contacts at corporate domains, PECR allows the soft-opt-in or existing customer basis, but you must also suppress against the Telephone Preference Service (TPS) for any telephone outreach. Your LIA should note these channel-specific obligations but cannot substitute for them.

How often should a B2B prospecting LIA be reviewed?

Review the LIA whenever any of the following change: the purpose of processing, the categories of data used, the channels or methods of contact, the data source, or the audiences targeted. As a minimum, a periodic review every 12 months is sensible. Significant regulatory changes, such as updated ICO guidance, also warrant a review.

How to write a Legitimate Interests Assessment for B2B prospecting under UK GDPR

Why does a B2B marketer need a written LIA at all?

The legitimate interests basis under Article 6(1)(f) UK GDPR is not self-executing. You cannot simply decide your interest is legitimate and start sending emails. The accountability principle in Article 5(2) requires you to demonstrate compliance, and the Information Commissioner's Office (ICO) has been explicit in its guidance that a written Legitimate Interests Assessment is the primary mechanism for doing that.

In practice, when the ICO investigates a B2B direct marketing complaint, the first thing they ask for is the LIA. If you do not have one, or the one you produce looks as though it was drafted the morning the complaint arrived, the investigation takes a very different turn. A document prepared contemporaneously, before the campaign launched, carries far more weight.

The LIA is also protective for your procurement process. If you buy B2B data from a supplier, the supplier's LIA covers their own processing. You, as the data controller for your outreach campaign, need your own LIA covering what you do with that data. These are two separate documents, and confusing them is a common compliance gap.

What are the three tests inside an LIA?

The ICO describes legitimate interests as a three-part balancing exercise. All three parts must be satisfied, and the analysis should be written down in the order they appear below.

Part 1: The purpose test

The purpose test asks two questions. First: is there a legitimate interest being pursued? Second: is that interest genuine rather than trivial or pretextual?

For B2B prospecting, the interest is typically commercial: winning new customers in a specific sector, re-activating lapsed accounts, or generating sales-qualified leads for a pipeline. The interest must be specific. "We want to grow the business" fails the test. "We are contacting Finance Directors at UK-based accountancy practices with ten or more employees to promote our cloud payroll software" passes it, because the purpose is concrete, the audience is defined, and the relevance to the contact is apparent.

Document this section in three to five sentences. Name the product or service, the audience (including sector and seniority), and the commercial outcome being sought.

Part 2: The necessity test

The necessity test asks whether personal data processing is actually needed to achieve the stated purpose, and whether a less intrusive means would achieve the same result equally well.

For B2B outreach, the analysis is usually straightforward: you cannot contact specific named decision-makers without their contact details. Generic advertising is not a functional substitute for targeted outreach, because it cannot reach the identified individuals. The test is met.

What the necessity test does require you to confirm is data minimisation. If you only need a business email address and job title, you should not be processing home addresses or personal mobile numbers. Record what data categories you are processing and why each is necessary. This is where many assessments are too thin: they confirm that processing is necessary in principle but fail to engage with the specific data fields actually being used.

Part 3: The balancing test

The balancing test is the most substantive part of an LIA and the section most likely to be challenged. It requires you to weigh your interests against the rights and freedoms of the individuals whose data you are processing.

Work through the following in sequence:

Reasonable expectations: Would a professional in this role, in this sector, reasonably expect to receive this type of marketing? A Finance Director at an accountancy practice receiving software relevant to their function is more likely to consider it expected professional correspondence than intrusive. A personal-capacity approach using home contact details for the same message would fail this test.
Nature of the data: Business email addresses and direct-line numbers at corporate domains carry lower sensitivity risk than special category data or consumer profiles. The risk calculus shifts if you are using mobile numbers sourced from personal contexts.
Impact on the individual: A single targeted email or call is low impact. A high-frequency multi-channel sequence is higher impact and the balancing test must engage with that honestly.
Safeguards: List the specific controls in place: clear opt-out in every communication, suppression against the Telephone Preference Service (TPS) for telephone outreach, prompt processing of removal requests (within five working days is the ICO's expectation), and data retention limits.

Conclude the balancing section with a clear finding: on balance, the legitimate interest is not overridden by the rights and interests of the data subject. If you cannot write that conclusion honestly, the LIA has told you something important: do not proceed with that processing.

What does the LIA document actually look like?

There is no prescribed format. The ICO publishes a Legitimate Interests Assessment template on its website, and it is a reasonable starting point. The key is that the document is structured, dated, and written to be read by someone outside your organisation who knows nothing about your business.

A workable LIA for B2B prospecting contains the following sections:

Document metadata: title, version number, date completed, author, reviewer, next review date.
Description of processing: what data you are processing, which categories of individuals are affected, and the processing activities involved (collection, storage, use, transfer).
Purpose test findings: the specific interest pursued and the conclusion that it is legitimate and genuine.
Necessity test findings: confirmation that the processing is needed, with data minimisation justification for each data category used.
Balancing test findings: the factors considered and the conclusion.
Safeguards: the specific controls in place, named and dated.
Conclusion and sign-off: a single sentence stating the basis is confirmed, signed by the responsible person.

Two to four pages is the right length for most B2B prospecting LIAs. Shorter and it will not survive scrutiny. Longer and it becomes a policy document rather than an assessment.

How does the LIA relate to your ROPA and data supplier agreements?

Under UK GDPR, organisations processing personal data for marketing purposes are required to maintain a Record of Processing Activities (ROPA). The LIA should be stored alongside the relevant ROPA entry, or cross-referenced from it. The ROPA describes the processing; the LIA justifies the lawful basis for that processing.

If you are buying B2B contact data from a supplier, the data sharing agreement or data licence should confirm that the supplier has conducted their own LIA covering their compilation and supply of the data. For context on why legitimate interests applies at the point of sourcing as well as at the point of use, see our article on using legitimate interests as the lawful basis for B2B data under UK GDPR. Your LIA then covers the downstream processing: your campaign targeting, outreach channel, and contact frequency.

This chain of accountability matters. If a contact complains to the ICO, the regulator can follow the data from your campaign back to the supplier. Both parties need their own documentation in order.

LIA scope: one document per campaign or one for all B2B prospecting?

A single LIA can cover a class of activity, provided the purpose, data categories, channels, and audiences are consistent. The table below illustrates when one LIA is sufficient and when a separate one is needed.

Scenario	Requires separate LIA?	Rationale
Two email campaigns to the same audience, same product, different months	No	Same purpose, same data categories, same channel. Existing LIA covers both.
Email campaign followed by telephone follow-up to the same list	Yes	New channel (telephone) carries different impact profile. The balancing test must be re-run for phone contact, including TPS suppression confirmation.
Extending email outreach from the manufacturing sector to the retail sector	Yes, or amend existing	New audience. Reasonable expectations and relevance may differ between sectors.
Switching from one B2B data supplier to another	Yes, or amend existing	New data source. The provenance and compilation methods are different; the LIA should note the supplier and confirm their lawful basis chain.
Adding mobile numbers to an existing email outreach programme	Yes	New data category with higher intrusion potential. The balancing test outcome may change.

Watch point: "all B2B marketing" LIAs

An LIA that purports to cover all outbound marketing activity without specifying purpose, audience, or channel is unlikely to satisfy the ICO. The balancing test in particular requires specific facts about likely impact, and those facts differ between an email to a procurement manager and a cold call to a personal mobile. Write LIAs at the level of processing activity, not at the level of business function.

What happens when a contact objects to the processing?

Under Article 21 UK GDPR, individuals have an absolute right to object to processing based on legitimate interests. "Absolute" here means you cannot override it by reasserting that your interest is compelling. Once someone objects, you must stop processing their data for that purpose. You have no grounds to continue.

Your LIA should record how objections will be handled operationally: who receives them, the target response time (five working days is standard practice), and how the removal is propagated across systems and suppression files. The ICO expects this to be a live process, not a theoretical one.

Suppression against your own opt-out file is just as important as the initial LIA. Keep a suppression list of everyone who has objected and wash every new prospecting extract against it before any outreach begins.

For telephone outreach, TPS suppression is a legal requirement under the Privacy and Electronic Communications Regulations (PECR), separate from UK GDPR. The LIA should confirm that TPS washing is part of the standard process, but the two regimes are independent. Passing your LIA does not exempt you from PECR, and suppressing against TPS does not substitute for a valid lawful basis under UK GDPR.