Navigating the New Frontier: What the Data (Use and Access) Act 2025 Means for Your Legitimate Interest Assessments.

The Data (Use and Access) Act 2025 (DUAA) is the most significant update to the UK's data protection framework since the UK GDPR was enacted. For organisations that have spent years mastering the three-part Legitimate Interest Assessment (LIA), the new Act introduces critical changes that are set to streamline compliance, reduce administrative burdens, and provide new clarity.

However, these changes are not a free pass. They create a new, two-tiered system for legitimate interests that businesses must understand to remain compliant and leverage the new flexibilities.

This article provides an in-depth guide to what has changed, what the new "Recognised Legitimate Interests" are, and what this means for your processing activities.

?️ The Big Change: Introducing 'Recognised Legitimate Interests'

The most transformative change introduced by the DUAA is the creation of a new, separate lawful basis: Recognised Legitimate Interests (RLI).

Under the "old" UK GDPR, relying on Article 6(1)(f) (legitimate interests) always required a three-part Legitimate Interest Assessment (LIA):

The Purpose Test: Is there a legitimate interest behind the processing?

The Necessity Test: Is the processing necessary to achieve that interest?

The Balancing Test: Are the controller's interests overridden by the fundamental rights and freedoms of the data subject?

The balancing test has always been the most complex and high-risk element. The DUAA fundamentally changes this for a specific, limited set of processing activities.

Key Takeaway: If your processing purpose is on the new, exhaustive list of "Recognised Legitimate Interests," you no longer need to conduct the balancing test. You must still demonstrate and document that the processing is "necessary" for that purpose, but the LIA process is dramatically simplified.

The Exclusive List: What Are the Recognised Legitimate Interests?

This new lawful basis is narrow and largely focused on public safety and security. You can only bypass the balancing test if your processing is necessary for one of the following purposes:

  • National Security, Public Security, and Defence: Processing necessary for safeguarding the security and defence of the UK.
  • Emergencies: Responding to situations that threaten serious damage to human welfare, the environment, or national security.
  • Crime: Processing necessary for the detection, investigation, prevention, or prosecution of criminal offences.
  • Safeguarding Vulnerable Individuals: Protecting the physical, mental, or emotional well-being of children or adults deemed "at risk."
  • Public Body Disclosures: Disclosing personal data to a public body (or a body acting on their behalf) after that body confirms it is necessary for their defined public task.

For the vast majority of commercial processing, these RLIs will not apply. This is where the second major change becomes relevant.

? What About 'Normal' Business Interests like Marketing?

The DUAA also provides a significant confidence boost for common business activities by moving them from the non-binding "recitals" of the UK GDPR into the main body of the law.

The Act now explicitly confirms that the following can be considered a legitimate interest:

  • Direct Marketing
  • Intra-group data transfers for internal administrative purposes
  • Ensuring the security of your network and information systems

The Critical Difference: LIAs Are Still Required

This is the most important distinction for businesses to understand. While the Act gives these activities a firmer legal standing, it does not add them to the "Recognised Legitimate Interests" list.

This means that if you are processing data for direct marketing, you must still conduct the full, three-part Legitimate Interest Assessment, including the crucial balancing test.

  • What has changed? You now have a clearer statutory footing to argue that direct marketing is a legitimate interest (the "purpose test").
  • What has NOT changed? You must still weigh your commercial interest in marketing against the privacy rights of the individual and be able to justify why your interest is not overridden.

This change reduces ambiguity at the start of the LIA process but does not remove the core compliance work.

? Q&A: Practical Implications of the DUAA 2025

This new landscape can be complex. Here are straightforward answers to common questions.

Q: We use legitimate interests for our B2B marketing. Can we stop doing LIAs now?

A: No. Direct marketing is not on the "Recognised Legitimate Interests" list. While the Act confirms it is a legitimate interest, you must still complete the full three-part LIA, including the necessity and balancing tests, for all direct marketing activities.

Q: Does this new Act replace the UK GDPR?

A: No. The Data (Use and Access) Act 2025 amends the UK GDPR. Think of it as an update package, not a replacement. All other principles, obligations (like transparency and data minimisation), and individual rights still apply.

Q: We are a software company. Does "ensuring network security" mean we can monitor all user activity without a balancing test?

A: No. Like direct marketing, network security is a codified "regular" legitimate interest, not a "recognised" one. You still need to conduct a full LIA. You must prove the processing is necessary and that your security needs are not outweighed by the privacy intrusion on your users.

Q: What is the single biggest action we need to take in response to this?

A: Review your Record of Processing Activities (RoPA). You must identify every processing activity that relies on legitimate interests.

  • Check if any (likely very few) now fall under a Recognised Legitimate Interest. If so, update your RoPA and LIA documentation to reflect that a balancing test is no longer required.
  • For all others (like marketing), ensure your existing LIAs are robust and that your documentation is up-to-date, referencing the new clarity provided by the Act.

Q: How does this affect our Data Protection Impact Assessments (DPIAs)?

A: The requirement for a DPIA for high-risk processing remains. If you are relying on a "Recognised Legitimate Interest," the processing (e.g., for crime prevention) may still be high-risk and require a DPIA. The LIA and DPIA are separate, though related, obligations.

 

? Navigating Forward: Your Compliance Partner

The Data (Use and Access) Act 2025 continues the UK's path of creating a "pro-innovation" data regime. The introduction of Recognised Legitimate Interests streamlines compliance for critical public safety functions, while the codification of business interests like marketing provides welcome legal certainty.

However, this certainty does not mean less responsibility. For most organisations, the core compliance duty remains: you must still be able to justify and document why your processing is necessary and fair.

This new, two-tiered framework adds another layer of complexity to an already challenging regulatory world. Understanding precisely where your processing activities fit is not just a legal hurdle—it's a barrier to innovation and peace of mind.

This is where Formiti Data International excels. Our mission is to simplify data privacy in a complex world. We provide more than just consultancy; we act as a true compliance partner. Our unique, multi-disciplinary team of privacy, legal, and operations experts functions as your in-house data privacy office, translating complex legislation into a practical, business-first roadmap.

We help you replace compliance anxiety with the confidence to grow, knowing your data practices are not only compliant but a strategic asset.

Would you like to discuss how Formiti can conduct a review of your processing activities and update your compliance framework for the Data (Use and Access) Act 2025? click here for a free consultantion