On 23 March 2026 the ICO issued its final guidance on Recognised Legitimate Interests. The lawful basis section of the general guide has been updated with brief guidance and there is more detailed guidance aimed at DPOs/those responsible for data protection.
The guidance covers the following grounds:
- Disclosure of information in support of a public task
- National security, public security and defence
- Emergencies
- Crime
- Safeguarding
The detailed guidance merits close scrutiny if you plan to use any of these grounds as it sets out the considerations specific to the application of each one.
Although you do not need to do a balancing test, the guidance makes it clear that you need to document your justification for relying on the relevant recognised legitimate interests – showing the processing is necessary for the identified interest.
A few further points to note:
- you are not obliged to switch to using this new basis
- you cannot use recognised legitimate interests as a basis for automated decision making which results in legal or similarly significant effects
- privacy information needs to refer to the specific interest you are relying on
- more than one recognised legitimate interest may apply to your processing and you will need to identify and document them all
- the right to object applies
You can find the detailed guidance here.
If you would like some help to set up documentation and processes so you can take advantage of this new legal basis, please get in touch by emailing hello@hellodpo.com and the team will be happy to help.
