United Kingdom: Information Commissioner's Office released updated guidance on legitimate interests

On 23 March 2026, the Information Commissioner's Office (ICO) updated the information regarding legitimate interests in the guide to lawful basis under the UK General Data Protection Regulation (UK GDPR). Legitimate interests are one of seven lawful bases for processing personal information under the UK GDPR. It applies where processing is necessary for the legitimate interests pursued by the controller or a third party, except where overridden by the interests or fundamental rights and freedoms of the data subject. Controllers relying on legitimate interests must apply a three-part test: the purpose test, the necessity test, and the balancing test. Legitimate interests may include commercial interests, individual interests, and broader societal benefits. The UK GDPR specifically identifies IT security, direct marketing, and intra-group transmissions for internal administrative purposes as potential legitimate interests. Controllers must conduct and record a legitimate interest assessment (LIA) before processing begins. The right to data portability does not apply where legitimate interests are the lawful basis. For direct marketing, the right to object is absolute. Public authorities may not rely on legitimate interests when performing their public tasks. Controllers must include details of their legitimate interests in their privacy information.