ARTICLE
23 March 2026

New And Updated UK Guidance On Recognised Legitimate Interest, General Legitimate Interest And Purpose Limitation

AO
A&O Shearman

Contributor

A&O Shearman logo
A&O Shearman was formed in 2024 via the merger of two historic firms, Allen & Overy and Shearman & Sterling. With nearly 4,000 lawyers globally, we are equally fluent in English law, U.S. law and the laws of the world’s most dynamic markets. This combination creates a new kind of law firm, one built to achieve unparalleled outcomes for our clients on their most complex, multijurisdictional matters – everywhere in the world. A firm that advises at the forefront of the forces changing the current of global business and that is unrivalled in its global strength. Our clients benefit from the collective experience of teams who work with many of the world’s most influential companies and institutions, and have a history of precedent-setting innovations. Together our lawyers advise more than a third of NYSE-listed businesses, a fifth of the NASDAQ and a notable proportion of the London Stock Exchange, the Euronext, Euronext Paris and the Tokyo and Hong Kong Stock Exchanges.
Explore Firm Details
The UK Information Commissioner's Office has published updated guidance following the Data (Use and Access) Act, introducing a new "recognised legitimate interest" lawful basis alongside traditional legitimate interests.
United Kingdom Privacy
Nigel Parker
Your Author LinkedIn Connections
Nigel Parker’s articles from A&O Shearman are most popular:
  • with Senior Company Executives, HR and Inhouse Counsel
  • with readers working within the Banking & Credit industries

On March 23, 2026, the UK Information Commissioner’s Office (the ICO) published updated guidance on the new recognised legitimate interest lawful basis, general legitimate interest, and the purpose limitation principle following the introduction of the Data (Use and Access) Act (DUAA).

Recognised legitimate interest

The DUAA amendments relating to recognised legitimate interest came into force on February 5, 2026. Following these amendments, “recognised legitimate interest” (under Article 6(1)(ea) UK GDPR) is one of the seven lawful bases under Article 6 UK GDPR. It is distinct from the existing “legitimate interests” lawful basis (under Article 6(1)(f) UK GDPR).

A recognised legitimate interest is a defined purpose for processing personal data that is in the public interest. There are currently five pre-approved or “recognised” interests introduced by DUAA (Annex 1, UK GDPR), which cover processing that is necessary for:

  • public task disclosure response (known as the “public task disclosure response condition”)
  • national security, public security and defence (known as the “national security, public security and defence condition”)
  • emergencies (known as the “emergencies condition”)
  • crime prevention (known as the “crime condition”), and
  • safeguarding (known as the “safeguarding condition”).

Unlike the existing legitimate interest lawful basis, the obligation to balance the interests of the controller (or third party) against those of the data subjects does not apply when relying on a recognised legitimate interest.

The guidance provides further detail on when the new lawful basis can be used, and further context on each of the five recognised conditions. The ICO clarifies that organisations do not have to change lawful basis if they currently use legitimate interests for a purpose that is a recognised legitimate interest.

The recognised legitimate interest guidance is available here.

Legitimate interest

The ICO has also updated its existing guidance (both its “brief” and “in-detail” guidance) on the general legitimate interest lawful basis. The guidance now reflects that, following DUAA, the UK GDPR specifically mentions certain purposes as potential legitimate interests, including direct marketing, intra-group transmissions for internal administrative purposes, and IT security. The guidance notes that organisations can assume these purposes constitute a legitimate interest, but they should still conduct a legitimate interest assessment (LIA) (reflecting the fact that the balancing test must still be satisfied).

The brief guidance on legitimate interest is available here and the in-detail guidance on legitimate guidance is available here.

Purpose limitation

The ICO guidance regarding the purpose limitation principle has been updated to reflect DUAA amendments, that, for example, broaden the circumstances in which new processing of personal data is considered “compatible” with the original purpose of collection, depending on whether consent was obtained.

The guidance on purpose limitation is available here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Nigel Parker
Nigel Parker
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More