Recognised Legitimate Interests: A New Lawful Basis Under UK GDPR

The UK data protection landscape continues to evolve, with the introduction of a new lawful basis for processing personal data.

The ICO has introduced guidance on Recognised Legitimate Interests, brought in through the Data (Use and Access) Act 2025.

This development is important for organisations relying on legitimate interests. While it may appear to be a simpler alternative, in practice it is more limited and requires careful compliance.

In practice, this lawful basis is most relevant to organisations involved in activities such as safeguarding or public safety. However, it may also apply in limited situations to private organisations supporting these purposes.

What Are Recognised Legitimate Interests?

Recognised Legitimate Interests are a new lawful basis for processing personal data, introduced through updates to UK data protection law.

Unlike the standard legitimate interests basis, this applies only to a limited set of pre-approved purposes defined in law.

What Are the Pre-Approved Purposes?

Pre-approved purposes refer to specific legal conditions where organisations can rely on this lawful basis.

Crime Prevention

Organisations can process personal data where necessary for detecting, investigating or preventing crime, or prosecuting offenders.

Examples include money laundering, terrorist financing, fraud, scams, and CCTV monitoring for retail theft.

National Security, Public Security or Defence

These are not explicitly defined in law but generally include:

• National security: Protection of the UK’s institutions and population
• Public security: Protection of the public from threats such as crime or disasters
• Defence: Protection and effectiveness of the UK’s armed forces

Safeguarding

This applies to protecting vulnerable individuals, including children under 18 and adults at risk.

It includes protection from harm, neglect, and support for wellbeing. Organisations must ensure the individual qualifies as vulnerable and that processing is necessary.

Emergencies

This applies where processing is necessary during an emergency under the Civil Contingencies Act 2004.

• War or terrorism
• Threats to welfare
• Threats to the environment

Public Task Disclosure

Organisations can share personal data where necessary for another organisation to carry out public tasks.

This applies only where the receiving organisation has a lawful public function.

How Is This Different from Legitimate Interests?

One key difference is that organisations do not need to carry out a balancing test.

This is because the interests are already recognised in law.

However, this is not a free pass. Organisations must still ensure:

• The processing is necessary and proportionate
• The recognised interest clearly applies

What Obligations Still Apply?

Organisations must still comply with UK GDPR and the Data Protection Act 2018, including:

• Transparency: Clearly explain processing in your privacy notice
• Purpose limitation: Only use data for the recognised purpose
• Data minimisation: Only process necessary data
• Accountability: Document decisions and retain records

What About Data Subject Rights?

Individuals still have rights, including the right to object.

Organisations must assess objections in line with UK GDPR requirements.

When Can Recognised Legitimate Interests Be Applied?

This lawful basis can only be used where processing is necessary for one of the recognised conditions.

Organisations must clearly identify and document which condition applies.

In some cases, multiple conditions may apply and should all be recorded.

What Are the Limitations?

• Applies only to specific recognised purposes
• Unlikely to apply to marketing or commercial activity
• Cannot be used for solely automated decision-making
• Public authorities cannot use it for their public tasks
• Additional conditions required for special category or criminal data
• Extra care required when processing children’s data

What Should Organisations Do Now?

• Map processing activities to identify applicability
• Document decisions and justification
• Update privacy notices
• Train teams on limitations and correct use

Conclusion

Recognised Legitimate Interests provide greater certainty for specific public interest processing activities.

However, they still sit within the UK GDPR and Data Protection Act framework, meaning organisations must continue applying core principles.

The ICO makes it clear that while compliance may be simplified in some areas, accountability remains unchanged.

How Data Protection People Can Help

We support organisations with DSAR process reviews, policy development, and staff training to ensure compliance and consistency with ICO expectations.

Sources

• ICO guidance on Recognised Legitimate Interests
• ICO guidance on public task disclosures
• ICO lawful basis guidance

Frequently Asked Questions (FAQs)

What are recognised legitimate interests?

They are a lawful basis under UK GDPR for specific purposes such as safeguarding, crime prevention and emergencies.

How are they different from legitimate interests?

No balancing test is required, but processing must still be necessary and proportionate.

When can organisations rely on this basis?

Only when processing meets one of the recognised legal conditions and is properly documented.

Can private organisations use it?

Yes, but only in limited circumstances linked to public interest or safety.

Do UK GDPR principles still apply?

Yes, all core principles must still be followed.

Do individuals still have rights?

Yes, including the right to object.

Can it be used for marketing?

No, it is unlikely to apply to commercial marketing activities.

Can public authorities use it?

Not for public tasks, only in limited other circumstances.

Can it be used for children’s data?

Yes, but extra care is required.

What about special category data?

Additional legal conditions must be met under UK GDPR and the Data Protection Act 2018.

Do we need to document decisions?

Yes, documentation is required to demonstrate compliance.