What the ICO’s New ‘Recognised Legitimate Interest’ Means for UK Data Protection: Key Takeaways from the Data (Use and Access) Act 2025 Consultations

The Information Commissioner’s Office (ICO) has recently launched public consultations on amendments to the Data (Use and Access) Act 2025. This includes the introduction of a new lawful basis for processing—‘recognised legitimate interest’—and new requirements for handling data protection complaints. This development is significant for UK organisations as it aims to provide more confidence in using personal information in the public interest and mandates all organisations to establish a process for data protection complaints.

What is the ‘Recognised Legitimate Interest’ Lawful Basis?

The ‘recognised legitimate interest’ is a new lawful basis for processing personal data, distinct from the existing ‘legitimate interests’ basis. While the traditional ‘legitimate interests’ basis allows organisations to process data for their own interests, provided they do not override the rights and freedoms of the data subjects, the ‘recognised legitimate interest’ is designed to support processing that serves a broader public interest. This could include activities that benefit society at large, such as research and innovation, public health initiatives, and more.

New Requirements for Data Protection Complaints

Under the new amendments, organisations are required to have a formal process for handling data protection complaints. This means establishing clear procedures for receiving, investigating, and resolving complaints in a timely manner. Best practices might include appointing a dedicated data protection officer, providing staff training on complaint handling, and ensuring transparency in communication with complainants.

What Does the ICO Want from the Consultation?

The ICO’s consultation aims to gather feedback from organisations and privacy professionals on the proposed amendments. The goal is to refine the legislation to better support data protection practices while balancing the needs of businesses and the rights of individuals. Organisations and privacy professionals can contribute by providing insights on the practical implications of the changes and suggesting improvements.

Practical Implications for Organisations

Organisations should prepare for these changes by reviewing and updating their privacy policies, internal processes, and staff training programs. It is crucial to ensure that all data processing activities align with the new ‘recognised legitimate interest’ basis and that complaint handling procedures are robust and effective.

Broader Context

These developments in the UK are part of a larger trend in data protection regulation. The EU is also working to simplify GDPR obligations for SMEs, and there are ongoing discussions about AI regulation. Understanding these broader trends can help organisations position themselves strategically in the evolving data protection landscape.

Other Links on the Web

• China Monthly Data Protection Update
• 51 Useful Data Protection Resources
• ICO Launches Consultations for Data Use and Access Act 2025 Amendments
• Principles of Privacy by Design
• DWF Data Protection Insights August