GDPR

Can you reuse customer data for a new purpose? ICO’s 2026 compatibility rules explained

Scott Dooley
5 min read · Jun 29, 2026

Your team collected customer data for one stated purpose. Six months later, product wants to mine the same database for analytics, marketing wants to cross-sell, and someone suggests training an AI model on support tickets. UK GDPR’s purpose limitation principle does not ban reuse outright, but it does require compatibility. The ICO refreshed its purpose limitation guidance on 23 March 2026 after Data (Use and Access) Act amendments. Miss the compatibility test and the reuse is unlawful even when the original collection was compliant.

What purpose limitation requires in practice

Article 5(1)(b) UK GDPR requires specified, explicit, legitimate purposes. Further processing must not be incompatible with those original purposes. In practice that means three things for managers: purposes must appear in your records of processing and privacy information; staff must not quietly expand what a dataset is used for; and any new use needs a documented route through compatibility rules.

Function creep is the operational risk. A CRM built for contract fulfilment slowly becomes a marketing engine. A HR system holding absence records gets repurposed for performance scoring. The ICO’s purpose limitation page treats gradual expansion as exactly what this principle is designed to stop. The March 2026 refresh followed DUAA changes that amended how UK organisations assess reuse.

When reuse is allowed without a fresh compatibility assessment

Not every new use triggers a full compatibility assessment. UK GDPR lists conditions in Annex 2 that are treated as compatible purposes. ICO guidance groups them as: disclosure in response to a public task request; disclosure for archiving; public security; emergencies; crime prevention; vital interests; safeguarding; taxation; and legal obligations.

Consent-based collections face stricter paths. ICO guidance says you typically need fresh consent for a new purpose, unless an Annex 2 condition applies or new consent is not reasonable and public-interest safeguards apply. Non-consent collections have more routes: fresh consent, research or archiving or statistical provisions, Annex 2 conditions, public-interest safeguards, or a compatibility assessment.

For the detailed breakdown, see the ICO’s compatibility and reuse guidance, published alongside the March 2026 update.

The compatibility assessment: five factors to document

If no Annex 2 condition applies, you must assess whether the new purpose is compatible. ICO guidance sets out five factors: the link between the original and new purposes; the context in which you collected the data and what individuals reasonably expected; the nature and sensitivity of the data; the consequences of the reuse for individuals; and safeguards such as encryption or pseudonymisation.

The ICO note that this assessment resembles a legitimate interests assessment. If you already use an LIA template, adapt it for reuse decisions. Reuse is likely incompatible when the new purpose would surprise individuals, differs sharply from the original collection context, or carries unjustified impact. ICO guidance cites a GP sharing patient records with a travel agent for holiday bookings as an example of incompatible reuse.

High-risk reuse may also trigger a data protection impact assessment. Our DPIA guide sets out when UK organisations must run one before processing starts.

You still need a lawful basis for the new purpose

Compatibility answers purpose limitation. It does not replace lawful basis. ICO guidance is explicit: you need a separate lawful basis for the new processing activity. Data collected on consent often needs new consent or a different basis for the new use. Special category data needs an Article 9 condition on reuse. Criminal offence data needs an Article 10 condition.

Marketing reuse has its own path. Direct marketing to existing customers may qualify for the soft opt-in under PECR, but that is a separate test from compatibility. Do not treat a compatibility pass as permission to email everyone in a CRM.

Manager checklist: before you repurpose a dataset

  • Document the original purpose and the planned new purpose in writing.
  • Check Annex 2 conditions before running a full compatibility assessment.
  • Run and record a compatibility assessment when no fast path applies.
  • Confirm lawful basis for the new processing, plus Article 9 or 10 conditions if relevant.
  • Update privacy information before reuse begins.
  • Review your records of processing and retention schedules. Do not keep data for undeclared future uses.

Purpose statements in privacy notices must match what teams actually do. Train staff on the boundary between analytics that support the original service and reuse that needs a fresh assessment.

For team-wide training on purpose limitation, lawful basis, and documentation, see our GDPR Essentials course.

FAQ

Can we use customer support tickets to train an AI model?

It depends on the original purpose, what ticket holders were told, and the sensitivity of the content. Run the five-factor compatibility assessment and confirm a lawful basis before any model training starts. Pseudonymisation and exclusion of special category data reduce risk but do not remove the assessment.

Does analytics on website behaviour count as compatible reuse of account data?

Only if the link between purposes, collection context, and individual expectations supports it. Analytics closely tied to the service the user signed up for is easier to justify than repurposing account identifiers for unrelated profiling.

When do we need fresh consent versus a compatibility assessment?

Consent-collected data usually needs fresh consent for a materially different purpose unless an Annex 2 condition or public-interest safeguard applies. Non-consent data can proceed via Annex 2, research provisions, or a documented compatibility assessment.

What changed in the ICO guidance in March 2026?

The ICO updated purpose limitation and compatibility guidance on 23 March 2026 to reflect DUAA amendments. Both pages now include refreshed sections on Annex 2 conditions, compatibility factors, and lawful basis requirements for reuse.

Sources

Author

  • Scott Dooley is a seasoned entrepreneur and data protection expert with over 15 years of experience in the tech industry. As the founder of Measured Collective and Kahunam, Scott has dedicated his career to helping businesses navigate the complex landscape of data privacy and GDPR compliance.

    With a background in marketing and web development, Scott brings a unique perspective to data protection issues, understanding both the technical and business implications of privacy regulations. His expertise spans from cookie compliance to implementing privacy-by-design principles in software development.

    Scott is passionate about demystifying GDPR and making data protection accessible to businesses of all sizes. Through his blog, he shares practical insights, best practices, and the latest developments in data privacy law, helping readers stay informed and compliant in an ever-changing regulatory environment.

    View all posts

Popular posts on Measured Collective

  1. GDPR Legitimate Interests Assessment: The Complete Guide
  2. EDPB Issues New Guidelines on AI Systems and Personal Data — Key Changes for EU Organisations
  3. £300,000 ICO Penalty for Illegal Automated Marketing Calls: Home Improvement Marketing Ltd Case Analysis
  4. Can a Company Process and Store Employee Fingerprint Data Under GDPR?
  5. Is Google Forms GDPR compliant?

Start learning today

Essentials GDPR Course

UK GDPR awareness training for your team

GDPR Refresher

Keep your GDPR knowledge sharp

PECR for Marketers

ePrivacy compliance for marketing teams

Free GDPR Basics

100% free introduction to GDPR