New and updated UK guidance on recognised legitimate interest, general legitimate interest and purpose limitation

Recognised legitimate interest

The DUAA amendments relating to recognised legitimate interest came into force on February 5, 2026. Following these amendments, “recognised legitimate interest” (under Article 6(1)(ea) UK GDPR) is one of the seven lawful bases under Article 6 UK GDPR. It is distinct from the existing “legitimate interests” lawful basis (under Article 6(1)(f) UK GDPR). 

A recognised legitimate interest is a defined purpose for processing personal data that is in the public interest. There are currently five pre-approved or “recognised” interests introduced by DUAA (Annex 1, UK GDPR), which cover processing that is necessary for: 

• public task disclosure response (known as the “public task disclosure response condition”)
• national security, public security and defence (known as the “national security, public security and defence condition”)
• emergencies (known as the “emergencies condition”)
• crime prevention (known as the “crime condition”), and
• safeguarding (known as the “safeguarding condition”). 

Unlike the existing legitimate interest lawful basis, the obligation to balance the interests of the controller (or third party) against those of the data subjects does not apply when relying on a recognised legitimate interest. 

The guidance provides further detail on when the new lawful basis can be used, and further context on each of the five recognised conditions. The ICO clarifies that organisations do not have to change lawful basis if they currently use legitimate interests for a purpose that is a recognised legitimate interest. 

The recognised legitimate interest guidance is available here. 

Legitimate interest

The ICO has also updated its existing guidance (both its “brief” and “in-detail” guidance) on the general legitimate interest lawful basis. The guidance now reflects that, following DUAA, the UK GDPR specifically mentions certain purposes as potential legitimate interests, including direct marketing, intra-group transmissions for internal administrative purposes, and IT security. The guidance notes that organisations can assume these purposes constitute a legitimate interest, but they should still conduct a legitimate interest assessment (LIA) (reflecting the fact that the balancing test must still be satisfied). 

The brief guidance on legitimate interest is available here and the in-detail guidance on legitimate guidance is available here.

Purpose limitation

The ICO guidance regarding the purpose limitation principle has been updated to reflect DUAA amendments, that, for example, broaden the circumstances in which new processing of personal data is considered “compatible” with the original purpose of collection, depending on whether consent was obtained. 

The guidance on purpose limitation is available here.