Under the UK GDPR, legitimate interests is one of the six lawful bases for processing personal data. It can be useful, but organisations should only rely on it where the purpose is legitimate, the processing is necessary, and the individual’s rights and freedoms do not override the organisation’s interest.
Under the UK GDPR, legitimate interests is a lawful basis that may allow an organisation to process personal data where it has a genuine reason, the processing is necessary, and the individual’s interests, rights and freedoms do not override that reason. In practice, this usually means carrying out and documenting a legitimate interests assessment before relying on it.
Purpose test
Is there a genuine and legitimate reason for using the data?
Necessity test
Is the processing necessary for that purpose?
Balancing test
Do the person’s rights and freedoms override the interest?
Legitimate interests can be useful where an organisation has a real and lawful reason to use personal data, but consent is not the right fit and the processing is not strictly required for a contract, legal obligation, public task, or another lawful basis. The ICO explains that organisations should apply the three-part test before relying on this basis.
The organisation needs a clear, specific and legitimate reason for using the data. This could include fraud prevention, network security, client relationship management, or some forms of proportionate marketing.
The organisation must consider the individual’s rights, freedoms, expectations, vulnerability, and the possible impact of the processing before relying on legitimate interests.
Legitimate interests should sit within wider accountability, because organisations should be able to explain why they chose this basis and how they reached that decision.
Before relying on legitimate interests, organisations should work through the purpose test, necessity test and balancing test. This is often documented as a legitimate interests assessment, or LIA.
The organisation should define the interest clearly. A vague statement such as “business purposes” is usually too broad to show why the data use is justified.
Reasonable expectations matter. If people would be surprised, concerned, or unable to understand the data use, the balance may be harder to justify.
The organisation should consider possible harm, loss of control, vulnerability, power imbalance, sensitivity of the data, and whether safeguards reduce the risk.
Legitimate interests and consent are different lawful bases. Organisations should choose the basis that genuinely fits the processing, rather than using legitimate interests simply because consent feels inconvenient.
This basis may work where the data use is expected, low risk, clearly explained, and supported by a documented assessment. Individuals must still be told about the legitimate interests pursued.
Consent may be more appropriate where people need real control over whether the processing happens, or where another legal regime requires consent for the activity.
For marketing, organisations may need to consider both UK GDPR and PECR. Legitimate interests may sometimes support the GDPR side of marketing activity, but PECR may still require consent for certain electronic communications. See Direct Marketing and GDPR for the wider overlap.
Legitimate interests is always context-specific. The same activity may be appropriate in one situation and inappropriate in another, depending on expectations, impact, safeguards and the nature of the personal data involved.
Using personal data to detect or prevent fraud may often be a legitimate interest, provided the processing is proportionate and properly documented.
Monitoring systems to protect security may be justified where it is necessary, proportionate, and supported by clear internal controls.
Maintaining appropriate business records and managing client relationships may rely on legitimate interests where individuals would reasonably expect that use.
Legitimate interests may sometimes support marketing-related processing, but organisations must also check PECR, objection rights, transparency, and suppression processes.
If legitimate interests is used without a clear assessment, organisations may create problems with lawful basis, transparency, objection handling, records of processing, and wider compliance governance.
This article is based on ICO guidance on legitimate interests and recognised legitimate interests, together with UK GDPR provisions that shape how organisations choose and document a lawful basis. It also connects to wider duties around transparency, accountability, consent, and the right to object.
Use the glossary for key terms, or download the checklist if you want a practical starting point for reviewing lawful basis decisions, legitimate interests assessments, privacy information, and objection handling.
