The UK’s Data (Use and Access) Act 2025 introduces a significant change to GDPR compliance: recognised legitimate interests. This new lawful basis gives organisations pre-approved grounds for processing personal data in specific circumstances, reducing legal uncertainty and administrative burden. With the ICO’s consultation closing on 30 October 2025, now is the time to understand how this affects your data protection practices.
What Are Recognised Legitimate Interests?
Recognised legitimate interests represent a new lawful basis for processing personal data under UK GDPR. Introduced by the Data (Use and Access) Act 2025, which received Royal Assent on 19 June 2025, this mechanism pre-approves certain types of processing activities that serve the public interest.
Unlike the standard legitimate interests assessment—where you must conduct a case-by-case balancing test weighing your interests against the rights and freedoms of data subjects—recognised legitimate interests provide a shortcut. For specific, pre-defined purposes, the government has already determined that the processing is lawful and proportionate.
This doesn’t mean you can process data without any safeguards. You still need to comply with the other GDPR principles: lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, and integrity. However, you won’t need to document a detailed legitimate interests assessment (LIA) for qualifying activities.
The Six Pre-Approved Categories
The Data (Use and Access) Act establishes six recognised legitimate interests. Each category addresses specific scenarios where organisations need legal certainty to process personal data effectively.
Crime prevention and detection: This covers processing necessary to prevent or detect unlawful acts. For example, a retailer sharing CCTV footage with police investigating shoplifting, or a bank flagging suspicious transactions that might indicate fraud.
Public security and national defence: Processing required to protect the UK’s security interests. This might include background checks for employees working in sensitive sectors, or sharing information with relevant authorities about potential security threats.
Safeguarding vulnerable individuals: Activities aimed at protecting children and adults at risk from harm. Think of schools sharing concerns about a child’s welfare with social services, or care providers coordinating information about vulnerable adults.
Emergency situations: Processing needed to respond to emergencies that threaten life, health, or safety. A hospital accessing patient records during a medical emergency, or emergency services coordinating response data during a major incident.
Sharing data to help public bodies perform their tasks: This enables private sector organisations to support public authorities. For instance, utility companies providing consumption data to support public health initiatives, or transport operators sharing passenger information to improve public services.
Other purposes specified by the Secretary of State: The Act allows for additional categories to be designated through regulations, providing flexibility to respond to future needs.
How Recognised Legitimate Interests Simplify Compliance
The primary benefit is speed and certainty. When you process data for a recognised legitimate interest, you don’t need to conduct and document a detailed balancing test for each processing activity.
Standard legitimate interests assessments require you to:
- Identify your legitimate interest
- Show that the processing is necessary
- Balance your interests against the data subject’s rights
- Document your reasoning
For recognised legitimate interests, the balancing test has already been done at a legislative level. You still need to ensure the processing is necessary and proportionate, but you avoid the detailed documentation burden.
This matters most for routine activities that serve the public good. A safeguarding team can share information more quickly when a child is at risk. A business can report suspicious activity to law enforcement without delay. The legal certainty reduces hesitation and speeds up decision-making.
However, recognised legitimate interests don’t override other GDPR requirements. You must still:
- Be transparent with data subjects about your processing
- Respect data subject rights (such as the right to object)
- Implement appropriate security measures
- Limit data collection to what’s necessary
- Delete data when it’s no longer needed
The ICO’s Consultation (Closing 30 October 2025)
The ICO launched a 10-week consultation on recognised legitimate interests to gather feedback on how this new lawful basis should work in practice. The consultation closes on 30 October 2025.
Key questions the ICO is addressing include:
- How organisations should demonstrate that their processing falls within a recognised category
- What documentation is required (even if less than a full LIA)
- How to handle edge cases where processing might serve multiple purposes
- The interaction between recognised legitimate interests and other lawful bases
- Guidance on when to use recognised legitimate interests versus standard legitimate interests
Organisations can participate by submitting written responses through the ICO’s consultation portal. Even if you don’t submit formal feedback, reviewing the consultation documents will help you understand how the ICO expects the new lawful basis to be applied.
The consultation is particularly relevant if your organisation regularly processes data for crime prevention, safeguarding, or supporting public bodies. Your practical experience can help shape guidance that works in the real world.
Implementation Timeline and Next Steps
The Data (Use and Access) Act received Royal Assent in June 2025, but the provisions will be implemented in stages over 2-12 months. Different elements of the Act come into force at different times, as specified by commencement regulations.
The ICO has indicated it will publish final guidance on recognised legitimate interests in winter 2025/2026, after analysing consultation responses. This guidance will provide practical examples and clarify expectations.
What you should do now:
Review your current processing activities: Identify where you currently rely on standard legitimate interests. Could any of these qualify as recognised legitimate interests once the provisions come into force?
Map your data flows: Document how you process data for crime prevention, safeguarding, emergencies, or supporting public tasks. This preparation will make it easier to adopt recognised legitimate interests when they become available.
Monitor ICO guidance: Watch for the ICO’s final guidance document. It will contain practical examples and clarification on documentation requirements.
Update your privacy notices: Once recognised legitimate interests come into force, you’ll need to update privacy information to explain this lawful basis to data subjects.
Train your team: Make sure staff who make decisions about data processing understand when recognised legitimate interests apply and when you still need a full legitimate interests assessment.
Don’t rush to change your current practices before the provisions are fully in force and ICO guidance is published. Continue using your existing lawful bases until you have clarity on implementation requirements.
Conclusion
Recognised legitimate interests represent a practical evolution in UK data protection law, offering clarity for specific, pre-approved uses. While the consultation period is still open, organisations should familiarise themselves with the categories and assess whether their processing activities might qualify.
The key takeaway is that recognised legitimate interests don’t reduce your obligations—they reduce administrative burden for activities that clearly serve the public good. You still need to process data fairly, transparently, and proportionately. But you can do so with greater legal certainty and less documentation overhead.
As implementation progresses through 2025 and 2026, this new lawful basis could streamline compliance for many common data processing scenarios, particularly in sectors dealing with safeguarding, security, and public service delivery. Stay engaged with the ICO’s consultation and guidance to ensure you’re ready when the time comes to implement this change.
