Using Legitimate Interests Under UK GDPR

February 20th 2025

A Flexible Basis for Processing Data

When processing personal data, organisations must rely on one of the lawful bases set out in the UK GDPR. Legitimate interests is the most flexible – and my personal favourite – but it comes with specific requirements. Using legitimate interests under UK GDPR allows for practical, proportionate data use, as long as you carefully assess the risks and ensure compliance.

When Can You Rely on Legitimate Interests?

Legitimate interests allow an organisation to process personal data when necessary for its own interests or those of a third party. However, those interests must not override the rights and freedoms of the individual.

Some common scenarios where legitimate interests may apply include:

  • Direct marketing: Promoting products and services to customers.
  • Fraud prevention: Taking necessary steps to protect against fraudulent activities.
  • Network and information security: Ensuring the safety and security of IT systems.
  • Preventing crime: Processing data for crime prevention or investigation purposes.
  • Enhancing services: Using data to improve products, services, and user experiences.

The PECR Soft Opt-In for Direct Marketing

One of the specific ways organisations can rely on legitimate interests is through the PECR (Privacy and Electronic Communications Regulations) soft opt-in. Using legitimate interests under UK GDPR, organisations can send marketing communications without prior consent, provided certain conditions are met:

  1. The individual has previously purchased or made an enquiry about similar products or services.
  2. The contact details were obtained during a sale or negotiations for a sale.
  3. The individual is given a clear option to opt out of marketing at the point of collection and in every subsequent communication.

This approach allows organisations to engage existing customers or supporters in a lawful, proportionate way – balancing outreach with privacy rights.

Conducting a Legitimate Interests Assessment (LIA)

Before relying on legitimate interests as a lawful basis for processing, organisations should conduct a Legitimate Interests Assessment (LIA). There’s no legal obligation to complete one. However, it’s best practice and supports Information Commissioner’s Office (ICO) expectations on Accountability.

An LIA ensures that the organisation’s interests align with privacy protections and that processing is necessary and proportionate, and typically involves three main steps:

  1. Purpose Test: Identify and define the legitimate interest the organisation is pursuing.
  2. Necessity Test: Evaluate whether the processing is necessary to achieve the stated purpose.
  3. Balancing Test: Weigh the organisation’s interests against the rights and freedoms of the data subjects, ensuring that the processing does not unduly impact their privacy.

The ICO provides guidance and tools to help organisations complete an LIA and demonstrate their compliance with the regulations.

ICO’s View on Legitimate Interests

The ICO calls legitimate interests the most flexible lawful basis for processing personal data, suitable for a wide range of purposes. But flexibility doesn’t mean it’s always appropriate. Organisations should only use it when processing aligns with individuals’ expectations, and must also respect their rights and freedoms.

Recognised Legitimate Interests in the Data (Use and Access) Bill

The forthcoming Data (Use and Access) Bill is proposing to introduce the concept of recognised legitimate interests. These are specific types of processing activities where organisations can rely on legitimate interests without the need to carry out the usual balancing test.

The Bill proposes the following recognised legitimate interests:

  1. Disclosure for purposes of processing described in Article 6.1(e): Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  2. National Security, Public Security, and Defence: Processing is necessary to safeguard national security, protect public security, or for defence purposes
  3. Emergencies: If the processing is necessary for responding to an emergency (with emergencies defined as in the Civil Contingencies Act 2004).
  4. Crime: Processing necessary for detecting, investigating, or preventing crime, or apprehending or prosecuting offenders.
  5. Safeguarding Vulnerable Individuals: Processing is necessary to protect vulnerable individuals, such as those under eighteen or adults at risk, from neglect or harm.

These recognised legitimate interests offer legal clarity and support. They help organisations process data lawfully and carry out essential activities.

Final Thoughts

Legitimate interests offer a versatile and robust legal basis for processing personal data, but organisations must approach it carefully. Conducting a Legitimate Interests Assessment (LIA) helps ensure compliance. The new recognised interests in the Data (Use and Access) Bill will streamline key processing activities. Staying informed about current and upcoming regulations lets organisations balance operational needs with individual privacy rights.

Get In Touch

Kate Fitzgerald Consulting Limited offers a range of data privacy and protection services for arts and cultural organisations. If you would like a chat to discuss any needs you may have, do get in touch – we’d love to hear from you.    

Leave a Reply