Updated

Guide

Data processing: legitimate interests

Guidance for solicitors and law firms on when to use legitimate interests as a basis for processing personal data.

02 Jan 2026

3 minute read

‘Legitimate interests’ is one of the lawful bases for processing personal data under the UK GDPR.

An organisation can process personal data under legitimate interest if:

it has a genuine reason (a “legitimate interest”)
the processing is necessary to achieve that interest, and
the individual's rights and freedoms do not override that interest

We recommend you rely on legitimate interests or contract as the lawful basis when processing personal data.

We recommend relying on these bases instead of consent as the lawful basis.

This is because someone can withdraw their consent at any time.

You should only use legitimate interests if there is a minimal impact on the person’s privacy.

Three-part test

To check whether you can rely on legitimate interest for processing your data, it is recommended that you conduct a three-part test.

This is called a ‘legitimate interests assessment' (LIA).

While it is not mandatory, it is best practice to conduct a LIA to process data using legitimate interest.

Conducting a LIA will demonstrate that you meet your obligations under the ‘accountability’ principle in the UK GDPR.

You can use the Information Commissioner’s Office (ICO) sample LIA template.

Identify a legitimate interest

A legitimate interest is typically:

reasonable and expected by the individual
not harmful or intrusive
aligned with the organisation’s goals

Examples of legitimate interests include:

preventing fraud
ensuring IT security
direct marketing (with safeguards)
internal administrative tasks
employee monitoring for safety

Legitimate interests can be those of a controller or a third party.

Show it’s necessary

You must be able to show why it’s necessary to use personal data to achieve your objective.

The ICO has guidance on when processing counts as necessary.

Balance it against the person’s interests

You must balance the legitimate interests against your client’s interests, rights and freedoms.

Your client’s interests are likely to override your legitimate interest if:

they would not ‘reasonably expect’ you to use their data in the way you’re using it, or
if it could cause ‘unwarranted harm’

Read the ICO’s guidance on balancing legitimate interests.

Recording your decision

Once you’ve completed the three-part LIA test, you need to record your decisions.

You also need to tell your client (the data subject) the details of the controller or third party’s legitimate interests.

You can do this:

in your privacy policy
by writing to them
by speaking to them

Marketing

To rely on legitimate interests for marketing, you need to show that:

using someone’s data will have a minimal impact on their privacy
they are not likely to object to you using their data

For electronic marketing, you may need to consider consent as a lawful basis.

Read the ICO’s guidance on electronic and telephone marketing.

Children

You can rely on legitimate interests when using children’s data, but you should take extra care to make sure their interests are protected.

The information in your privacy notice needs to be age appropriate.

Read the ICO’s guidance on children and the UK GDPR.

Data to a third party

You may rely on legitimate interests to disclose personal data to a third party.

These might be your own interests, the interests of a third party, or both.

You should consider:

why the third party wants the information
if they need it
what they’ll do with it

You can rely on legitimate interests for the disclosure if it passes the three-part LIA test.

Recognised legitimate interests

The Data (Use and Access) Act 2025 has created a new lawful basis for data processing: recognised legitimate interest.

A ‘recognised legitimate interest’ is a specified purpose for handling personal information that is in the public interest.

It is separate from the legitimate interest lawful basis.

You can only rely upon the recognised legitimate interest purpose if one of the following conditions are met:

public task disclosure request
national security, public security and defence
emergencies
crime
safeguarding

Learn more about recognised legitimate interests data processing.

Read the ICO’s recognised legitimate interest guidance.

Save to bookmark

Data protection

Books

Data Protection Toolkit, 2nd edition

Go to bookshop

Books

Compliance and Ethics in Law Firms

Go to bookshop

Online learning

GDPR and information technology

Go to online learning

Data processing: legitimate interests

Three-part test

Identify a legitimate interest

Show it’s necessary

Balance it against the person’s interests

Recording your decision

Marketing

Children

Data to a third party

Recognised legitimate interests

Related articles

Appointing a data protection officer (DPO) – guide for law practices

Can the deadline for a subject access request be extended?

Changes to GDPR – what solicitors need to know

Data processing: legitimate interests

Three-part test

Identify a legitimate interest

Show it’s necessary

Balance it against the person’s interests

Recording your decision

Marketing

Children

Data to a third party

Recognised legitimate interests

Related articles

Appointing a data protection officer (DPO) – guide for law practices

Can the deadline for a subject access request be extended?

Changes to GDPR – what solicitors need to know

Changes to GDPR – what solicitors need to know