Recognised legitimate interest: a new UK GDPR lawful basis

The question

What does the new “recognised legitimate interest” (RLI) lawful basis under the UK GDPR mean in practice for businesses, and when should they use it?

The key takeaway

RLI is a new lawful basis for specific, pre‑approved public interest purposes (such as crime prevention, safeguarding and emergencies) that removes the need for a legitimate interests assessment, but still requires controllers to show that their use of personal data is necessary, targeted and compliant with all other UK GDPR obligations. 

The background

RLI was introduced into the UK GDPR by the Data (Use and Access) Act 2025 (DUA), adding a new lawful basis in Article 6(1)(ea). It applies where processing is “necessary for the purposes of a recognised legitimate interest”, with those pre-approved five interests being listed in annex 1 of the UK GDPR. RLI is intended to sit alongside, and not replace, the existing legitimate interests lawful basis in Article 6(1)(f) UK GDPR.

The development

The 5 RLI conditions are as follows:

• the public task disclosure condition allows an organisation to share personal data with another organisation that requests it to perform a task in the public interest, or to exercise its official authority, where the task or authority is laid down in law. It is aimed at enabling voluntary disclosure, rather than where a legal obligation compels sharing, and the requesting organisation must confirm that they need the personal data for the relevant purpose;
• the national security, public security and defence condition permits processing necessary for these purposes, which may also be relevant where private entities are supporting security or defence functions;
• the emergencies condition permits processing necessary to respond to an “emergency” as defined in the Civil Contingencies Act 2004. Examples of emergencies include extreme weather, pandemics and could cover severe cyber‑attacks on infrastructure that threaten serious damage to life, welfare or the environment;
• the crime condition enables processing necessary to detect, investigate or prevent crime, or to prosecute offenders, including economic crimes such as scams, fraud and money laundering;
• the safeguarding condition applies where processing is necessary to safeguard a “vulnerable individual” (children, or adults “at risk”) from physical, mental or emotional harm. 

There are also other points to be mindful of when considering using RLI:

• public authorities cannot rely on RLI when processing in performance of their public tasks;
• RLI is not available for fully automated decision‑making within Article 22 UK GDPR, which must rest on another lawful basis;
• for special category and criminal offence personal data, controllers must ensure that they are able to rely on an appropriate condition for processing this data in addition to relying on RLI;
• data subjects' right to object also applies in relation to RLI;
• controllers need not carry out a legitimate interest assessments when relying on RLI, but they must still demonstrate that the processing is necessary and proportionate for the purpose;
• for the public task disclosure condition, the requesting organisation's public interest task or official authority must be laid down either in domestic law or in specific international law (currently the only international law specified is the UK-US Data Access Agreement which enables law enforcement authorities to request data from communication service providers for the investigation of serious crimes);
• for the public task disclosure condition, if the disclosure would involve processing for a new purpose and the controller wishes to take advantage of the DUA changes on purpose limitation, the requesting organisation will also need to specify one of the listed objectives in Article 23 UK GDPR (e.g. public security, investigation of crime).

Compared with the existing legitimate interests lawful basis, RLI is narrower but provides more certainty for businesses that their lawful basis is valid. 

Why is this important?

For businesses, RLI is likely to be most relevant where they support public authorities or law enforcement through data sharing, participate in crisis response (including cyber‑incidents affecting critical services), implement safety and trust measures against criminal activity, carry out age verification or handle safeguarding alerts about vulnerable users. In these contexts, RLI can reduce legal uncertainty by providing a predefined lawful basis, especially where a full legitimate interests assessment would be time‑consuming. It also aligns with emerging policy expectations that platforms will share and use data responsibly to tackle harms such as fraud and ensure protection for children, while maintaining UK GDPR standards. 

Businesses must still comply with all data protection principles, including purpose limitation, data minimisation and transparency, and must be ready to justify necessity and proportionality under regulatory scrutiny. 

Any practical tips?

Businesses should map where existing or anticipated activities might fall within the five RLI conditions. Where a legitimate interests assessment hasn’t already been carried out for a given activity and falls within an RLI, the RLI may be a more efficient lawful basis to rely on. Businesses should also assess necessity and proportionality of the data sharing or processing, ensure that it is minimised to what is required, and document their rationale in an internal note. 

Businesses may also need to update relevant policies and notices for example, customer privacy notices to reference RLI where it becomes a lawful basis for certain activities, and internal protocols for handling law enforcement or public authority requests to require the requester to confirm the data is needed for their public task.