Summary
Add a dedicated LIA (Legitimate Interests Assessment) document type to StrayMark — the GDPR Art. 6(1)(f) "three-part test" that must back any processing whose legal basis is legitimate interests.
Why we need it
When gdpr_legal_basis: legitimate_interests is declared (in an ETH or DPIA), GDPR requires a documented LIA: the three-part test of (1) purpose (is there a real legitimate interest?), (2) necessity (is the processing necessary, with no less-intrusive means?), and (3) balancing (does the interest prevail over the data subject's rights and reasonable expectations?), plus safeguards and the data subject's rights.
StrayMark already ships DPIA, ETH, and SEC types, but no LIA. The LIA is distinct from a DPIA:
- DPIA = impact assessment, triggered for high-risk processing (Art. 35).
- LIA = legal-basis justification, required whenever legitimate interests is the basis — independent of risk level.
So a team that correctly determines "no DPIA needed" (internal tool, no large-scale or special-category data) can still owe an LIA. There is currently no first-class home for it.
How we worked around the absence
In a real adopter project we hit exactly this: an ETH (risk_level: high) for an internal operator dashboard declared legitimate_interests, the human reviewer confirmed "no DPIA required", but the LIA was still owed. With no LIA type, we documented the three-part test as a sub-block inside the ETH's #### GDPR Legal Basis section (a ##### Legitimate Interests Assessment (LIA) table). It works and keeps the LIA next to the basis it justifies, but:
- it isn't discoverable/queryable as its own artifact (
straymark can't list/validate LIAs);
- there's no standard template, so the three-part test depends on the author remembering all three prongs + safeguards;
- it couples the LIA's lifecycle to the ETH's.
Proposed implementation
- Add
lia to the straymark new types and a TEMPLATE-LIA.md (+ i18n variants) with the canonical structure: Purpose / Necessity / Balancing tests, Safeguards, Data subject rights (transparency, objection/erasure), and a Conclusion.
- Location:
.straymark/07-ai-audit/ethical-reviews/ (alongside ETH/DPIA).
- Frontmatter:
gdpr_legal_basis, related (link to the ETH/DPIA it supports), review_required (legal-basis judgments warrant human sign-off), risk_level.
- Optionally: when an ETH/DPIA sets
gdpr_legal_basis: legitimate_interests, straymark validate could emit an advisory hint suggesting a linked LIA.
Context
Reported by the Sentinel adopter project (Strange Days Tech). Happy to share the ETH sub-block we used as a starting point for the template.
Summary
Add a dedicated LIA (Legitimate Interests Assessment) document type to StrayMark — the GDPR Art. 6(1)(f) "three-part test" that must back any processing whose legal basis is legitimate interests.
Why we need it
When
gdpr_legal_basis: legitimate_interestsis declared (in an ETH or DPIA), GDPR requires a documented LIA: the three-part test of (1) purpose (is there a real legitimate interest?), (2) necessity (is the processing necessary, with no less-intrusive means?), and (3) balancing (does the interest prevail over the data subject's rights and reasonable expectations?), plus safeguards and the data subject's rights.StrayMark already ships
DPIA,ETH, andSECtypes, but noLIA. The LIA is distinct from a DPIA:So a team that correctly determines "no DPIA needed" (internal tool, no large-scale or special-category data) can still owe an LIA. There is currently no first-class home for it.
How we worked around the absence
In a real adopter project we hit exactly this: an ETH (
risk_level: high) for an internal operator dashboard declaredlegitimate_interests, the human reviewer confirmed "no DPIA required", but the LIA was still owed. With noLIAtype, we documented the three-part test as a sub-block inside the ETH's#### GDPR Legal Basissection (a##### Legitimate Interests Assessment (LIA)table). It works and keeps the LIA next to the basis it justifies, but:straymarkcan't list/validate LIAs);Proposed implementation
liato thestraymark newtypes and aTEMPLATE-LIA.md(+ i18n variants) with the canonical structure: Purpose / Necessity / Balancing tests, Safeguards, Data subject rights (transparency, objection/erasure), and a Conclusion..straymark/07-ai-audit/ethical-reviews/(alongsideETH/DPIA).gdpr_legal_basis,related(link to the ETH/DPIA it supports),review_required(legal-basis judgments warrant human sign-off),risk_level.gdpr_legal_basis: legitimate_interests,straymark validatecould emit an advisory hint suggesting a linked LIA.Context
Reported by the Sentinel adopter project (Strange Days Tech). Happy to share the ETH sub-block we used as a starting point for the template.