- Contact The DPO Centre
- +44 (0)203 797 1289
- hello@dpocentre.com
The DPO Centre named one of the UK’s Best Workplaces two years running
March 13, 2026
On 23 March 2026, the Information Commissioner’s OfficeThe United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. (ICOThe Information Commissioner's Office (ICO) is the United Kingdom’s independent supervisory authority for upholding information rights in the public interest, ensuring compliance with the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).) published new guidance on Recognised Legitimate Interest (RLI). This follows updates introduced under the Data Use and Access Act 2025 and provides greater clarity on how organisations can rely on this lawful basis under the UK General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (GDPR).
What are Recognised Legitimate InterestsLegitimate interests is one of the six lawful bases for processing personal data. You must have a lawful basis in order to process personal data in line with the ‘lawfulness, fairness and transparency’ principle.?
The guidance explains how RLI differs from the standard Legitimate Interests basis, which requires organisations to assess whether their interests are overridden by the rights and freedoms of individuals.
There are five pre-approved conditions where organisations can rely on RLI without carrying out a balancing test, including processing necessary for:
- Responding to requests for personal dataInformation which relates to an identified or identifiable natural person. from organisations carrying out public functions or official functions
- National security, defence, or public safety purposes
- Responding to emergency situations
- Preventing or detecting crime
- Protecting children or vulnerable individuals from harm
Where an organisation can demonstrate that its processing clearly meets one of these conditions, it may rely on RLI as its lawful basis. Public authorities should note that RLI can’t be relied upon when processing personal data to carry out their statutory tasks, where ‘public task’ will usually be the appropriate lawful basis.
In practice, this may simplify how organisations justify certain activities, such as relying on RLI for CCTV used to prevent or detect crime.
However, organisations must still be able to show that the processing is necessary and proportionate for the specific condition relied upon and that it aligns with broader UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU. requirements.
Practical considerations for organisations using RLI
Whilst RLI removes the need for a balancing test, it does not remove accountabilityPerhaps the most important GDPR principle, which requires controllers to take responsibility for complying with the GDPR and, document their compliance.. Organisations must continue to comply with core data protection principlesA series of principles which embody the requirements of the data protection regulation., uphold individuals’ rights, and ensure appropriate safeguards are in place.
Shane Gohil, Tech & Security Sector Lead and DPO at The DPO Centre, said:
‘The ICO has stressed that ‘recognised legitimate interest’ is not a blanket permission to processA series of actions or steps taken in order to achieve a particular end. data. Organisations must clearly identify which recognised condition they are relying on, ensure the processing is genuinely necessary, and continue to meet transparency and accountability requirements.’
Organisations should also be aware that RLI is a UK-specific concept. Where processing activities fall within the scope of the EU GDPRRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data (General Data Protection Regulation)., this lawful basis is not available. As a result, organisations operating across both the UK and EU will need to take a more nuanced approach, potentially applying different lawful bases depending on the jurisdiction.
RLI is unlikely to represent a fundamental shift for most organisations, but it does provide targeted flexibility for certain processing activities when applied appropriately.