After a few years where data protection laws in the United Kingdom were settled, the Data (Use and Access) Act 2025 (DUAA) is ushering in a period of change.
For those of you who have only just recovered from the GDPR, the news that data protection laws are changing again may not be entirely welcome.
The good news is that many of the changes DUAA is bringing in are intended to make your life easier, rather than introducing complex new obligations and – while some things are changing – much remains the same. This series of blogs from the IT & data team at Mills & Reeve aims to help you understand the impact that DUAA will have on established ways of doing things. In this one, Julia Carey explains the new concept of ‘recognised legitimate interests.’ This is one of the aspects of DUAA that is designed to simplify, rather than add to, compliance obligations. At the time of writing, this aspect of DUAA has not yet begun to apply, but it is expected that it will do in the first few months of 2026.
If you need a reminder about the meaning of some of the key data protection terminology used (eg personal data, data subject, data controller, processing), please refer to our glossary.
What are recognised legitimate interests and how might they help me?
In relation to the lawful bases for processing personal data, if your organisation has ever tried to tackle the question of “can we process this personal data under legitimate interests?”, you will know that it’s not always a simple task. It is necessary to weigh the organisation’s own commercial objectives against the rights of individuals via a balancing test or a full legitimate interests assessment, before processing the personal data.
The Data (Use and Access) Act 2025 (DUAA) simplifies the process for sharing personal data for matters relating to the public interest by introducing a list of specific “recognised legitimate interests”. These are essentially a list of pre-approved lawful public interest purpose bases for which personal data may be disclosed. If the personal data to be shared falls within one of these scenarios, organisations are exempt from performing the balancing test or a full legitimate interests assessment. Your organisation only needs to be able to demonstrate that the processing is strictly necessary.
Overall, the introduction of recognised legitimate interests will provide greater certainty and less obstacles for organisations wishing to share personal data in relation to public interest tasks. This will also encourage collaboration with law enforcement bodies and public authorities whilst enabling faster decision-making for disclosures in the public interest, such as for matters involving crime prevention, safeguarding vulnerable people and responding to emergencies.
These changes only apply within the UK. Therefore, if your organisation operates within both the UK and the EU, it will be necessary to have a dual-compliance strategy in place to satisfy the requirements of both the UK GDPR and the EU GDPR.
What was the position before DUAA and how has DUAA changed things?
The concept of ‘legitimate interests’ is one of six possible lawful bases for processing personal data and was already contained within Article 6(1)(f) of the UK GDPR. The balancing test (which is necessary when relying on this basis) often meant sharing personal data for public interest tasks involved uncertainty and risk because those disclosing the personal data had to judge necessity and compatibility on a case-by-case basis.
The DUAA adds a new clause (Article 6(1)(ea)) to the UK GDPR to introduce the concept of recognised legitimate interests. The DUAA also adds a new Annex 1 to the UK GDPR which creates a statutory list of these recognised legitimate interests (which are subject to change through secondary legislation). This list includes the following:
- Sharing personal data with an organisation when they confirm it is needed for a public task
- National security and defence
- Responding to emergencies (such as natural disasters or major incidents)
- Preventing or investigating crime
- Safeguarding children or vulnerable adults
What does this mean for my organisation?
The removal of the balancing test when the scenario is classified as one of the recognised legitimate interests reduces the administrative burden and risk on organisations, saving time and making it easier/quicker to share personal data in relation to public interest tasks, where time is often of the essence (eg crime prevention).
It would allow your organisation to give personal data to the police (for example), without requiring you to decide whether the police needs that information to perform its public function. Instead, the police (as the organisation making the request) is responsible for this decision.
The removal of the balancing test also limits the ability of data subjects to challenge the processing of their personal data (in these situations).
When are these changes coming into force?
5 February 2026.
What can I do now to help ensure my organisation is compliant?
- Map all current legitimate interest processing, to check if any fall within the new recognised legitimate interests category.
- Update your privacy notices and data sharing agreements to reference these recognised legitimate interests where they apply and explain the removal of the balancing test.
- Train staff so they are aware of when the new recognised legitimate interests concept will apply.
- Keep good documentation – evening if a balancing test or a full legitimate interests assessment is not required, it is still important to record the context and decision-making process behind actions taken since transparency remains critical.
- Monitor guidance from the Information Commissioner’s Office (ICO): More detailed guidance is expected on this topic from the ICO during 2026.
Our content explained
Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.