Legitimate interests is one of the most commonly relied-on lawful bases under the UK GDPR; nevertheless, it is also one of the most commonly misapplied. In practice, it can be an entirely appropriate basis for processing personal data, particularly where the processing is expected, proportionate, and supported by sensible safeguards. However, because this basis depends on context and balancing, it only really holds up when you can demonstrate that you have assessed necessity and impact through a Legitimate Interests Assessment (LIA). The ICO’s guidance makes clear that organisations should consider when legitimate interests is appropriate and keep records that help demonstrate compliance. (ICO)

This guide explains what legitimate interests is, when it works well (and when it doesn’t), and how small businesses can produce an LIA that is structured, defensible, and aligned with their privacy notice.

Why legitimate interests matters (and why it causes problems)

Legitimate interests is attractive because it feels operationally realistic: unlike consent, it is not withdrawn on a whim, and unlike contractual necessity, it does not require every processing activity to be “strictly required” to deliver a service. However, that flexibility comes with a trade-off, because you must be able to show that your interests are not overridden by the individual’s rights and freedoms, especially where the processing is unexpected or could create a tangible risk to the individual.

Although the UK GDPR does not provide a rigid definition of what counts as a legitimate interest, the ICO notes that the concept is broad and can include straightforward commercial interests, provided your assessment and safeguards are appropriate to the processing. (ICO)

The three-part LIA test (purpose, necessity, balancing)

A robust Legitimate Interests Assessment typically follows three stages. While templates vary, the underlying logic is consistent: you identify the interest, test whether the processing is necessary, and then balance that against the individual’s interests.

1) Purpose test: What is the legitimate interest?

Start by defining the interest clearly and specifically. “Running the business” is too vague to be meaningful; by contrast, “preventing fraud on customer accounts” or “maintaining network security” is more precise, measurable, and defensible.

At this stage, you should also confirm that the interest is lawful and genuine, and that the processing is not being used to justify something that would be better supported by another lawful basis.

2) Necessity test: Is this processing necessary to achieve it?

Here, “necessary” should be understood as proportionate and targeted, rather than “no alternative exists.” In other words, you are asking whether there is a less intrusive, reasonably available way to achieve the same aim with reduced impact on individuals.

For example, if your interest is preventing automated spam submissions, limited rate-limiting and short-lived security logs may be proportionate; however, building detailed behavioural profiles of visitors for indefinite periods is unlikely to be “necessary” for that purpose.

3) Balancing test: Do the individual’s interests override yours?

This is where legitimate interests either survives scrutiny or collapses on contact with reality.

A strong balancing test typically considers:

• the nature of the data (basic identifiers vs more sensitive information);
• the relationship (customer, employee, prospect, website visitor);
• reasonable expectations (is this what people would anticipate?);
• the likely impact (financial harm, distress, exclusion, or loss of control); and
• the safeguards in place (minimisation, retention limits, opt-outs, access controls).

The ICO highlights that legitimate interests requires consideration of the impact on individuals, and that additional care is required in higher-risk contexts, such as children’s data. (ICO)

What a good LIA looks like in practice

A defensible LIA is readable, specific, and reviewable. Importantly, it should not be written as if it is trying to “win” a conclusion; instead, it should demonstrate that you have genuinely assessed whether legitimate interests is appropriate, and what mitigations are necessary to make it fair.

The ICO provides a sample LIA template that is genuinely useful as a baseline structure, particularly for SMEs trying to introduce repeatable governance without turning every decision into a legal project. (ICO)

A practical LIA record usually includes:

• a short description of the processing (what you do, whose data, where it comes from);
• the interest you are pursuing (purpose test);
• why the processing is proportionate (necessity test);
• the balancing analysis (expectations, risks, impacts);
• safeguards and mitigations;
• the outcome (proceed / proceed with changes / use another lawful basis); and
• review triggers (new tools, new purposes, new audiences, new risks).

Common pitfalls that undermine legitimate interests

Pitfall 1: Using legitimate interests as the default for everything

While legitimate interests is flexible, it is not universal. If you are forcing the assessment to “pass,” that is often a sign that the processing is too intrusive, too unexpected, or insufficiently safeguarded.

Pitfall 2: Forgetting transparency

If you rely on legitimate interests, your privacy notice should not only name the lawful basis, but also explain what the legitimate interests are and how individuals can object. The ICO’s small-organisation guidance on privacy notices is a strong reference point for the content and clarity expected. (ICO)

Notably, the ICO flags that some privacy notice guidance is under review following the Data (Use and Access) Actcoming into law on 19 June 2025, which is a helpful reminder that “set and forget” documentation rarely stays compliant for long. (ICO)

Pitfall 3: Treating the LIA as a one-off form

An LIA should be reviewed when the processing changes. For example, if you introduce new analytics tools, expand into new markets, begin using AI features, or start collecting new categories of data, your previous balancing assumptions may no longer be reliable.

Pitfall 4: Ignoring reasonable expectations

If your processing would surprise a typical person, your balancing test needs to be stronger, your safeguards tighter, and your transparency sharper. Put differently, surprise increases risk; therefore, you should either redesign the processing or choose a different lawful basis.

SME examples: where legitimate interests often works well

These are not blanket approvals; rather, they illustrate scenarios where legitimate interests is commonly relied upon, assuming the LIA supports it and safeguards are implemented.

Example A: Security logging

Purpose: prevent unauthorised access and investigate incidents
Necessity: limited logging supports detection and response
Safeguards: short retention, access controls, monitoring, minimised fields

Example B: Service communications and account administration

Purpose: ensure continuity of service, manage accounts, prevent fraud
Necessity: basic identifiers and contact details are proportionate
Safeguards: clear privacy information, retention controls, role-based access

Example C: B2B prospecting (carefully)

Purpose: business development
Necessity: limited contact details for targeted outreach
Safeguards: clear opt-out, restrained frequency, suppression lists, and a stronger balancing test where expectations are less clear

How to reflect legitimate interests in your privacy notice

If you are using legitimate interests, your privacy notice should explain it in plain English. A simple, readable format is often the most effective:

• Purpose: why you process the data
• Lawful basis: legitimate interests
• Our legitimate interests: the specific interest pursued
• Your choices: how to object or opt out

For guidance on what should be included and how to write it clearly, the ICO’s privacy notice guidance for small organisations is a useful reference, and its “create your own privacy notice” tool can be helpful as a starting point for SMEs. (ICO)

When to choose a different lawful basis instead

Legitimate interests is often unsuitable where the processing is unexpected, intrusive, or high impact, particularly where:

• you are processing children’s data;
• you are using special category data in ways that increase risk; or
• the processing could materially affect an individual’s opportunities, access, or treatment.

When the balancing test is strained, it is usually more effective to step back and reconsider the design of the processing itself, rather than trying to “paper over” risk with optimistic wording.

How Athlex can help

If you want legitimate interests to be defensible, you need more than a template you downloaded and forgot to tailor. You need processing-specific reasoning, a workable record, and wording that matches what you do day-to-day.

Athlex can support in a few ways:

• Outsourced DPO support (ongoing guidance, governance, and risk management). (Athlex Limited)
• Practical advisory support (including contract reviews, clause support, and compliance packages). (Athlex Limited)

Coming soon: Athlex templates built for small businesses.
We’re launching a set of downloadable templates designed to be practical, plain-English, and SME-ready, including LIAs, privacy notice wording, and other essentials. They’re built to reflect real-world processing, so you can implement them quickly without the usual “generic filler” problem.

In the meantime, you may find our UK GDPR compliance checklist for small businesses a useful quick-start resource. (Athlex Limited)

Key takeaways

Legitimate interests can be a strong, flexible basis under the UK GDPR; however, it only works when you can show your reasoning. If you document your LIA properly, apply safeguards that reduce risk, and align your privacy notice with what you actually do, you are far more likely to end up with compliance that is credible rather than cosmetic.

FAQ

What is legitimate interests under UK GDPR?

Legitimate interests is a lawful basis that may allow processing when you have a genuine interest that is not overridden by the individual’s rights and freedoms, provided the processing is fair and proportionate. (ICO)

Do I need a legitimate interests assessment (LIA)?

In practice, yes. An LIA is the clearest way to document your purpose, necessity, and balancing analysis, and the ICO provides a sample template to support structured decision-making. (ICO)

Do I need to mention legitimate interests in my privacy notice?

Yes. If you rely on legitimate interests, your privacy notice should communicate that basis and explain what the interests are, using clear, accessible language. (ICO)