Data Protection Network
CONTACT US
NEWSLETTER

What’s a recognised legitimate interest?

Simon Blanchard
March 2026

The new seventh lawful basis for processing under UK GDPR

As of 5th February 2026, UK GDPR was amended to include a seventh lawful basis for processing personal data; recognised legitimate interests.

The Information Commissioner’s Office (ICO) have published final guidance about this shiny new lawful basis, which provides organisations with five conditions described as ‘containing pre-approved purposes that are in the public interest’.

But perhaps not so gleaming, when you realise this means there are very limited and specific purposes where this new lawful basis is applicable. Albeit additional conditions setting out other pre-approved purposes may be added in due course.

Key points

Here are some important points to bear in mind:

  • Despite sounding incredibly similar, recognised legitimate interests (RLI) mustn’t be confused with the existing legitimate interests lawful basis – it’s a separate and distinct lawful basis.
  • If you currently rely on legitimate interests for any of the pre-approved purposes you don’t need to switch. You can choose to keep matters just as there are.
  • Recognised legitimate interests can only be relied upon if the criteria for one of the pre-approved purposes can be met.
  • If you meet the criteria for RLI, a balancing test of whether a person’s rights, freedoms or interests outweigh a recognised legitimate interest is not needed. BUT you still need to assess the necessity of the processing activity and comply with all other data protection requirements. (Nobody said this was going to be easy.)
  • The scope of this lawful basis extends to handling special category or criminal offence data, but you still need to meet the existing additional requirements for these categories of personal data.
  • Any of the conditions may be suitable for using children’s personal information, as long as extra care is taken to protect children’s interests.
  • Where more than one condition applies in a particular situation, the ICO would expect you to identify and document them all.
  • Public authorities can’t rely on this lawful basis to perform their tasks or functions. In fact, they don’t need to as they already have the public task lawful basis. However, they can use it for other matters.

The five recognised legitimate interests conditions

1. Public Tasks Disclosure Condition

This condition can be used to voluntarily share personal information with another organisation which has requested because they need it for their public task or official functions. This is distinct from when you’re legally compelled to share personal information, where the lawful basis would be legal obligation.

This doesn’t mean if any public body asks your organisation for personal information you should just willingly hand it over. Some due diligence is required, such as:

 Get the request in writing, so you have an audit trail
Make sure the request specifies the personal information they’re seeking and if this is not clear ask for more details
Check to make sure the request is genuine and made by someone with suitable authority within the organisation
Consider whether the personal information you want to share is proportionate and necessary to meet the request. However, you don’t need to decide if it’s actually necessary to perform a public task or function.

2. National Security, Public Security and Defence Condition

This condition can be used to safeguard UK national security, protect public security or for defence reasons. The ICO points out; “Many organisations that use personal information for these purposes don’t need to use this recognised legitimate interest condition. This is because a different lawful basis applies instead (such as legal obligation or public task) or they’re subject to different parts of data protection law.”

If you don’t fall under the ‘many’ above, to use this condition you must be able to demonstrate your use of personal information is necessary to support one of these purposes and what you want to do is a ‘reasonable way to achieve this’.

3. Emergencies Condition

You can use this condition when you need to respond rapidly to a national emergency or critical situation as set in the Civil Contingencies Act 2004. The ICO gives the following examples:

  • events or situations that threaten serious damage to people’s welfare or the environment in the UK (e.g. extreme weather events, pandemics or chemical spills)
  • war and acts of terrorism that threaten serious damage to the security of the UK.

If a situation is identified as a such an emergency or critical situation you still need to decide if using personal information is necessary for the purpose of responding to it.

4. Crime Condition

This condition can be used when there’s a need to use personal information to ‘prevent, report crimes or help prosecute offenders’, and includes where your organisation needs to share personal information for crime-related purposes. You must still decide if using personal information is necessary for the purpose. Where this information constitutes criminal offence data you still need to meet existing data protection obligations.

5. Safeguarding Condition

This is specifically for when you want to use personal information to protect a vulnerable individual who is at risk of harm. This includes children and at-risk adults and can include sharing this information with other organisations.

Now, for the nuanced bit. The ICO says it doesn’t need to be ‘absolutely essential’ for safeguarding, but must be ‘more than just useful’. I’m afraid there are no examples given to help you judge this.

Again, worth remembering for special category or criminal conviction data you will still need an additional specific condition, as you do for any other lawful basis.

In summary

These pre-approved purposes are set out in Annex 1 of the UK GDPR. The ICO Recognised Legitimate Interests Guidance provides more detail and you need to carefully consider whether or not you meet the criteria.

If you opt to rely on recognised legitimate interests, remember you may need to update your Record of Processing Activities and any relevant privacy notice to reflect the changes.

At this point, you may be excused for thinking you’ll just stick with trusty old legitimate interests and the balancing test.

Which neatly brings me on to the fact that the ICO has also recently updated its Legitimate Interests Guidance to reflect changes to UK GDPR brought in under the Data (Use and Access) Act 2025. This covers direct marketing as a legitimate interest, but don’t forget you also need to comply with the marketing rules under the Privacy and Electronic Communications Regulations (PECR), which require consent in certain situations, so legitimate interests is not always an option.

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN

The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Related Articles

UK GDPR and PECR – key DUAA reforms take effect

As amendments to UK GDPR and PECR under the Data (Use and Access) Act take effect, what are the key changes and potential impact?

How to use the ‘charitable purpose soft opt-in’

When will charities be able to use a soft opt-in exemption to consent for direct marketing? The key points to consider.
Data Protection Network