Using personal data lawfully is a fundamental obligation under UK data protection law. If you act as a controller, you must identify a lawful basis for every activity where you process personal data – whether that’s handling staff payment information or using customer details to fulfil orders.
When you rely on legitimate interests, you need to justify your position through a Legitimate Interest Assessment (LIA), showing how your organisation’s needs are balanced against individuals’ privacy rights. The Data (Use and Access Act) 2025 (DUAA) will soon introduce Recognised Legitimate Interests as a new legal justification, designed to simplify and streamline certain processing activities.
Understanding the difference between legitimate interests and Recognised Legitimate Interests will be essential for compliance. Our data protection solicitors can help you review your current approach, prepare and update LIAs, and position your business to take advantage of the DUAA changes while managing regulatory risk.
Contents:
Using legitimate interests and completing a legitimate interest assessment
The UK GDPR provides several lawful bases for processing personal data, i.e. consent, performance of a contract, legal obligation, vital interest, public task and legitimate interests.
Legitimate interest is often viewed as a flexible basis to process personal data - but you can only rely on it if you can justify your use of data in this way in line with data protection laws. You should use it only when the relevant processing is necessary for your own or a third party’s aims and when those aims don’t override the rights and freedoms of the people whose data you process. This is because UK GDPR requires that processing is necessary for your legitimate interests (or those of a third party) except where those interests are overridden by the interests or fundamental rights and freedoms of the individual.
To determine whether you can rely on legitimate interest, you should conduct a thorough LIA and maintain a record of it. Always remember to do this before you start processing, so you can demonstrate that you have considered privacy risks.
An LIA typically follows a three-part test:
- Purpose test - identify your legitimate interests and exactly why you need to process the data, e.g., for fraud prevention or direct marketing purposes.
- Necessity test - show that the processing is genuinely required to achieve your purpose.
- Balancing test - demonstrate that your interests don’t override individuals’ rights and freedoms, e.g. by considering the type of data, your relationship with the people involved, their reasonable expectations and any risks and harm.
No fixed formula exists for this, but you’ll need to weigh up all the factors and make a judgment carefully. If your LIA shows the processing doesn’t meet the test, you should choose a different lawful basis or stop the processing unless you can narrow the scope and reassess suitability with legitimate interests appropriately.
You must also explain your legitimate interests clearly in your privacy notices or policies, and don’t forget to keep your LIAs under review over time.
This is a simplified summary, but it’s essential to know that there are a lot of factors to consider when relying on these grounds and that your business should take legal advice if you’re unsure about whether you can rely on legitimate interests in practice to use personal information.
‘Recognised Legitimate Interests’ as a lawful basis under the DUAA
The DUAA introduces a seventh lawful basis called Recognised Legitimate Interests. This is separate from the existing legitimate interest lawful basis.
Put simply, it’s designed as a pre-approved list of situations where lawmakers have essentially already judged specific data processing purposes to be inherently legitimate, so a traditional LIA isn’t required.
At present, there are specific proposed conditions which will be deemed as Recognised Legitimate Interests and, in summary, cover the following scenarios:
- Public task disclosure request condition: This is around disclosure of information to a public body on request, e.g. where you need to share personal information with an organisation when they need it for their public task or official functions (such as where you receive a request from the police)
- National security, public security and defence conditions: This involves safeguarding national security, protecting public security or for defence reasons
- Emergency condition: This is where you need to respond to or deal with an emergency (e.g. an evacuation situation)
- Crime condition: This is where you are preventing, detecting or investigating crime (e.g. for fraud prevention)
- Safeguarding condition: This is where you need to protect the physical, mental or emotional well-being of people who need extra support to do this or protect them from harm or neglect
This list is currently short, and the Secretary of State could expand or amend the conditions over time. Regulatory guidance on this has also not yet been finalised - so it’s still early days and businesses should watch this space. The ICO’s consultation on draft guidance on Recognised Legitimate Interests closes on 30 October 2025, and we await the finalised guidance and new provisions coming into effect. It remains to be seen how these new grounds will play out in practice, for example, whether companies can use them to rely on important business processing matters, such as the use of CCTV in specific scenarios.
The benefits of Recognised Legitimate Interests and other changes
The key question is what’s the significance and benefit of Recognised Legitimate Interests? The intention is that businesses should be able to rely on these grounds with greater ease and essentially cut down some of the red tape.
For these specific Recognised Legitimate Interests, you only need to show that the processing is necessary. Still, you won’t need to assess whether a person’s rights, freedoms or interests outweigh the Recognised Legitimate Interest.
Put simply, you won’t need to conduct a full, cumbersome legitimate interest balancing assessment. This will help reduce paperwork and time for various businesses that rely on specific broader areas, e.g., crime.
However, some of these processing activities are narrow and tightly defined, so be cautious and carefully consider them before relying on them; take legal advice if you’re unsure. You should also still document your reasoning and grounds for reliance on Recognised Legitimate Interests, as well as updating your Record of Processing Activities and privacy notices and comply with all other relevant UK GDPR principles when using data in this way.
The DUAA also clarifies within the law that certain processing activities (direct marketing, intra-group data sharing for internal administration and processing necessary for ensuring the security of network and information systems) are examples of legitimate interests. This helps clarify that you could rely on legitimate interest grounds to process data for these activities, but you’ll still need to complete a full LIA assessment to do so. Nonetheless, this additional clarity should help give businesses more confidence in their practices.
What does your business need to do?
It’s essential to establish your legal grounds for processing correctly to minimise risk. Failing to process personal data lawfully can lead to various negative implications and penalties, as well as reputational damage.
You can’t rely on Recognised Legitimate Interests yet, until these new provisions come into law. Still, you can start preparing now to assess the DUAA’s applicability to your business and plan how it could impact your processing activities.
You should consider the following:
- Mapping all your data processing activities and identifying any that may qualify as Recognised Legitimate Interests once the relevant law and regulatory guidance come into force.
- Updating your documents (e.g. privacy notices, Records of Processing Activities and Data Protection Impact Assessments) when a processing purpose clearly falls within a Recognised Legitimate Interest ground.
- Logging your evidence of reliance on Recognised Legitimate Interests – even though no balancing test is required.
- Maintaining and refreshing your LIAs for all other processing so that you can demonstrate compliance and accountability.
- Training relevant staff who process personal data to understand when Recognised Legitimate Interests apply in practice and the implications.
- Monitoring future developments and ICO guidance, as these may expand or limit Recognised Legitimate Interests and affect your obligations.
With careful thought and planning, you can utilise the DUAA as a strategic opportunity to refresh and future-proof your data practices, streamline your compliance, and position your business as a leader in responsible data use. Your business can stay ahead and leverage the advantages of the DUAA by assessing the potential benefits and risks for your compliance programme, staying alert to the ICO’s guidance and the gradual implementation of legal rules, and seeking legal advice as the DUAA’s frameworks develop.
How our solicitors can support you
As the DUAA takes effect, your business will need to review LIAs, refresh privacy notices and ensure your processing records reflect the new lawful bases. Our data protection solicitors can guide you through each step – from mapping and classifying your data processing, to preparing documentation and governance frameworks that demonstrate compliance. We can also deliver training for your teams and help you identify where Recognised Legitimate Interests may streamline your operations. With expert support, you can strengthen your compliance, reduce regulatory risks and build greater trust in how you use data.
