Recognised Legitimate Interests and Vulnerable Customer Data

Recognised Legitimate Interests

The Information Commissioner’s Office (ICO) is consulting on draft guidance about recognised legitimate interest. This new lawful basis for processing has been added to the UK GDPR by the Data (Use and Access) Act 2025 but doesn’t come into force until June 2026.

The consultation is open until 30 October 2025.

When can recognised legitimate interests be used?

At RB Compliance we have received several questions about the new guidance, specifically when recognised legitimate interests can be used and, of course, when it can’t.

To answer this question, we need to go back to basics and look at what is being introduced. Essentially the legislation brings in an additional seventh basis to process data under Article 6 of UK GDPR, the ‘recognised legitimate interests’. Firms must have a lawful basis to use personal information in line with the ‘lawfulness, fairness and transparency’ principle; Article 6 sets out the bases firms may choose from.

Historically firms have been able to rely on legitimate interests, where a balancing test is required to determine whether it is reasonable to process the customer’s data. To reduce the burden on firms a number of recognised legitimate interests are being added as the seventh basis.

What are recognised legitimate interests?

When you need information to:

• share it with another organisation that has requested it from you because they need it for their public task or official functions

• safeguard national security, protect public security or for defence reasons

• respond to, or deal with, an emergency situation

• prevent, detect or investigate crimes, including the apprehension and prosecution of offenders

• protect the physical, mental or emotional well-being of people who need extra support to do this or protect them from harm or neglect.  

For vulnerable customers of financial services firms, it is the final basis in which data relating to the economic situation of vulnerable individuals may well fall.

When can recognised legitimate interests be used for vulnerable customer data?

Again, to answer this question we need to go back to basics. The first step is assessing whether the vulnerable customer data is special category data, if it is not then only an Article 6 basis is required and recognised legitimate interests may be used. Vulnerability such as financial difficulties, bereavement and relationship breakdown are not, in the absence of health-related root causes, special categories of data.

Where the data is special category data (vulnerabilities where the individual has a health concern) then both an Article 6 basis AND an Article 9 basis is required. I’ve copied the relevant section from the ICO’s guidance which confirms this:

Recognised legitimate interests solely impacts the article 6 basis, meaning it is simpler to select this basis, but there has been no change in the law that requires an article 9 basis as well. Article 9 bases include explicit consent, as well as others listed in Article 9(2) of UK GDPR such as data already made public, vital interests and substantial public interest (see the guidance I co-wrote on behalf of the Money Advice Trust / MALG on this subject: Vulnerability, GDPR, and disclosure: A practical guide for creditors and advisers).

Therefore, this new basis does not ‘get rid’ of the need to get explicit consent (or a different article 9 basis), it instead simply makes it easier for firms to identify the corresponding Article 6 basis. In practical terms this, unfortunately, is not a shift in current front-line practices.

If you would like further clarification on this point, don’t hesitate to contact me: robert.bell@rbcompliance.co.uk 

Of specific interest might be our e-learning module on vulnerability covering this and a range of techniques to identify and support customers. Take a look at our e-learning offer here: Compliance E-Learning | RB Compliance Consultancy