ICO publishes updated purpose limitation guidance

The question

What changes should business make based on the ICO’s updated guidance on the purpose limitation principle and reuse of personal data?  

The key takeaway

The ICO's updated guidance clarifies when organisations can reuse personal data for new purposes and when a fresh lawful basis is needed. It also explains the new compatible purposes introduced by the Data (Use and Access) Act 2025 (DUAA). Businesses should tighten purpose specification, documentation and compatibility assessments, particularly where multiple uses of people's personal data are envisaged.

The background

The ICO has published updated guidance in light of amendments to the purpose limitation principle made by s71 DUAA, including how to determine when reusing personal data is compatible with its original collection purpose. This framework is particularly significant for data‑driven businesses that routinely seek to repurpose data for e.g. product development, security and analysis.  

The development

Expectations on specifying purposes

The ICO reiterates that organisations must be clear from the outset about why they are collecting personal data, document those purposes (for example in Article 30 records) and explain them in privacy notices. This supports fairness, transparency, data minimisation and accountability requirements and helps avoid “function creep”. The ICO also expects regular review of processing, internal records and privacy information to check that purposes have not evolved beyond those originally specified, with updates communicated to individuals before reuse.

Structured rules on reusing personal data

The updated guidance explains that personal data can be reused for new purposes only where those purposes are compatible with the original purpose. It provides rules on when reuses are to be treated as compatible with the original purpose, with different criteria depending on whether or not the original lawful basis was consent. 

Where the original lawful basis was not consent, a new use of personal data is treated as compatible if it satisfies any one of six routes: (i) fresh consent is obtained for the new use, provided that use is specified, explicit and legitimate; (ii) the new use falls within the research, public interest archiving or statistical processing provisions; (iii) the reuse is necessary to comply with, or demonstrate compliance with, a data protection principle; (iv) the new use qualifies under one of the Annex 2 Conditions — a defined list of compatible purposes newly introduced into UK GDPR by the DUAA; (v) the new use is necessary to safeguard specified public interest objectives authorised by law; or (vi) the new purpose passes a compatibility assessment.

Where personal data was originally collected under a consent lawful basis, reuse is more restricted, with only four available routes: obtaining fresh consent; reusing the data to comply with (or demonstrate compliance with) a data protection principle; relying on processing necessary to safeguard a specified public interest objective authorised by law; or relying on one of the Annex 2 Conditions. Importantly, the public interest and Annex 2 Conditions routes are only available where obtaining fresh consent is not reasonable.

New conditions "to be treated as compatible" (Annex 2 Conditions)

Annex 2 lists specific reuses that are “to be treated as compatible” for purpose limitation, including responding to public task disclosure requests, responding to requests for archiving in the public interest (where the personal data was originally collected on the basis of consent), protecting public security, responding to emergencies, combating crime, protecting vital interests, safeguarding vulnerable people, assessing or collecting tax, and complying with legal obligations. 

Where the personal data was originally collected under the consent lawful basis, the Annex 2 Conditions may only be relied upon where it is not reasonable to obtain new consent.

Compatibility test

For any other proposed reuses of personal data not originally collected on the basis of consent, a compatibility assessment must be carried out to determine if the new purpose is compatible with the original purpose. Factors to be considered as part of this assessment include: (i) any link between the original and new purpose; (ii) the context of the original data collection/relationship with the individual; (iii) the nature of the personal data to be processed, including in particular whether it is a special category of personal data or criminal data; (iv) the potential consequences of the processing for the individual; and (v) the appropriate safeguards in place to protect the personal data.

The ICO notes that a compatibility assessment has similarities with a legitimate interests assessment (LIA) and the ICO's LIA template could be used. A new purpose is unlikely to be compatible with the original purpose if: (i) it is very different from the original purpose; (ii) the new use would not be expected by individuals; and (iii) it would have an "unjustified impact" on the individual.

Where a new purpose is determined not to be compatible with the original purpose, you are likely to need to obtain specific consent for the new use.

Why is this important?

For businesses with extensive ecosystems and multiple business lines, purpose limitation can act as a constraint on cross‑use of user data. While the Annex 2 Conditions provide greater legal certainty for specified reuses, they do not relax the need to have a lawful basis (or bases) for the processing. Regulatory and public scrutiny of “function creep” is expected to increase. Therefore, businesses should ensure purposes of processing personal data are clearly defined and the compatibility of any reuse of data is analysed and documented.

Any practical tips?

Businesses should map and reassess purpose statements in their privacy notices, ensuring they are clear and cover all proposed purposes of use. Overly broad and/or catch‑all formulations should be avoided. In addition, Article 30 records should be revisited to ensure they reflect actual practice.  

Businesses should implement (or strengthen) a structured compatibility assessment process, aligned with their legitimate interests' frameworks, for any proposed reuse not clearly covered by the Annex 2 Conditions or existing consent.  

Platforms should ensure that changes to data use trigger privacy information updates and communications to users before any material change of purpose, to guard against the potential for unlawful function creep. 

Summer 2026