Legitimate Interest Under UK GDPR: Guide for Compliance
Updated: July 2025
Legitimate interest is both the UK GDPR’s most flexible and most scrutinsed lawful basis for processing personal data. This article breaks down the three‑part test and shows you how to document your decision‑making with a clear Legitimate Interests Assessment (LIA).
Key Takeaways
Three‑part test is mandatory
You can rely on “legitimate interests” only if you pass all three elements: (a) a clear, specific purpose; (b) processing that is genuinely necessary for that purpose and not achievable by a less intrusive method; and (c) a balancing test showing the data subject’s rights are not overridden.
Use it only when people would reasonably expect the processing
Legitimate interests work best for low-impact, expected uses, such as routine marketing, fraud prevention, intra-group transfers, or IT security, provided the activity doesn’t require consent under PECR. Avoid it for unexpected, intrusive, or high‑risk processing unless you have a compelling, documented justification. Public authorities cannot use this basis for tasks carried out in their official capacity.
Document everything through a Legitimate Interests Assessment (LIA)
Before processing, complete and record an LIA: state the interest, prove necessity, run the balancing test, note any safeguards (e.g., opt‑outs), and review the assessment whenever the context changes. A Data Protection Impact Assessment (DPIA) may be needed if significant risks remain.
What is the ‘legitimate interests’ basis?
Article 6(1)(f) gives you a lawful basis for processing where:
“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
This can be broken down into a three-part test:
1. Purpose test: Are you pursuing a legitimate interest?
2. Necessity test: Is the processing necessary for that purpose?
3. Balancing test: Do the individual’s interests override the legitimate interest?
A wide range of interests can be considered legitimate. They can be your own interests or the interests of third parties, as well as commercial interests and broader societal benefits. They may be compelling or trivial, but trivial interests may be more easily overridden in the balancing test.
The UK GDPR mentions explicitly the use of client or employee data, marketing, fraud prevention, intra-group transfers, or IT security as potential legitimate interests, but this is not an exhaustive list. It also says that you have a legitimate interest in disclosing information about possible criminal acts or security threats to the authorities.
‘Necessary’ means that the processing must be a targeted and proportionate way of achieving your purpose. You cannot rely on legitimate interests if there is another reasonable and less intrusive way to achieve the same result.
You must balance your interests against those of the individual. In particular, if they would not reasonably expect you to use data in that way or if it would cause them unwarranted harm, their interests are likely to override yours. However, your interests do not always have to align with those of the individual. If a conflict arises, your interests can still prevail as long as there is a clear justification for the impact on the individual.
When can you rely on legitimate interests?
Legitimate interests are the most flexible lawful basis, but you cannot assume it will always be appropriate for all of your processing.
If you choose to rely on legitimate interests, you assume additional responsibility for ensuring that people’s rights and interests are fully considered and protected.
Legitimate interests are most likely to be an appropriate basis when you use data in ways that people would reasonably expect and that have a minimal impact on their privacy. Where there is an impact on individuals, it may still apply if you can show there is an even more compelling benefit to the processing, and the effect is justified.
You can rely on legitimate interests for marketing activities if you can demonstrate that how you use people’s data is proportionate and has a minimal impact on their privacy. People would not be surprised or likely to object – but only if you don’t need consent under PECR.
You can consider legitimate interests for processing children’s data, but you must take extra care to make sure their interests are protected.
You may be able to rely on legitimate interests to disclose personal data to a third party in a lawful manner. You should consider why they want the information, whether they genuinely need it, and what they intend to do with it. You need to demonstrate that the disclosure is justified, but it will be their responsibility to determine the lawful basis for their processing.
You should avoid using legitimate interests if you are using personal data in ways people do not understand and would not reasonably expect or if you think some people would object if you explained it to them. You should also avoid this basis for processing that could cause harm unless you are confident there is nevertheless a compelling reason to go ahead, which justifies the impact.
If you are a public authority, you cannot rely on legitimate interests for any processing you do to perform your tasks as a public authority. However, if you have other legitimate purposes outside the scope of your tasks as a public authority, you can consider legitimate interests where appropriate. This will be particularly relevant for public authorities with commercial interests.
How can you apply legitimate interests in practice?
If you want to rely on legitimate interests, you can use the three-part test to assess whether it applies. We refer to this as a legitimate interests assessment (LIA), which should be conducted before you begin processing.
An LIA is a type of light-touch risk assessment based on the specific context and circumstances. It will help you ensure that your processing is lawful. Recording your LIA will also help you demonstrate compliance in line with your accountability obligations under Articles 5(2) and 24. In some cases, an LIA will be pretty short, but in others, there will be more to consider.
Legitimate Interest Identification
First, identify the legitimate interest(s). Consider:
• Why do you want to process the data – what are you trying to achieve?
• Who benefits from the processing? In what way?
• Are there any wider public benefits to the processing?
• How important are those benefits?
• What would the impact be if you couldn’t go ahead?
• Would your use of the data be unethical or unlawful in any way?
Necessity Test
Second, apply the necessity test. Consider:
• Does this processing help to further that interest?
• Is it a reasonable way to go about it?
• Is there another less intrusive way to achieve the same result?
Balancing Test
Third, do a balancing test. Consider the impact of your processing and whether this overrides the interest you have identified. You might find it helpful to think about the following:
• What is the nature of your relationship with the individual?
• Is any of the data particularly sensitive or private?
• Would people expect you to use their data in this way
• Are you happy to explain it to them?
• Are some people likely to object or find it intrusive?
• What is the possible impact on the individual?
• How big an impact might it have on them?
• Are you processing children’s data?
• Are any of the individuals vulnerable in any other way?
• Can you adopt any safeguards to minimise the impact?
• Can you offer an opt-out?
You then need to decide whether you still think legitimate interests are an appropriate basis. There’s no foolproof formula for the outcome of the balancing test, but you must be confident that your legitimate interests are not overridden by the risks you have identified.
Keep a record of your LIA and the outcome. There’s no standard format for this, but it’s essential to record your thinking to demonstrate that you have proper decision-making processes in place and to justify the outcome.
Keep your LIA under review and refresh it if there is a significant change in the purpose, nature, or context of the processing.
If you are not sure about the outcome of the balancing test, it may be safer to look for another lawful basis. Legitimate interests will not often be the most appropriate basis for processing, particularly when the processing is unexpected or high-risk.
If your LIA identifies significant risks, consider whether a DPIA is necessary to assess the risk and potential mitigation in more detail.
FAQs
1. When should I use legitimate interests instead of consent or another lawful basis?
Use legitimate interests when the data subject reasonably expects the processing, has a minimal privacy impact, and no other less‑intrusive lawful basis (such as consent or contractual necessity) fits the purpose.
2. Do I always need to complete a Legitimate Interests Assessment (LIA)?
Yes. An LIA documents the purpose, necessity, and balancing tests, helping you prove compliance and accountability under Articles 5(2) and 24 of the UK GDPR.
3. Can public authorities rely on legitimate interests?
Only for processing unrelated to their statutory public‑task duties, for example, commercial activities. They cannot invoke legitimate interests for data processing that is part of performing their official functions.