ICO publishes recognised legitimate interests and complaints handling guidance

The Information Commissioner's Office (ICO) has published draft guidance on two new areas and launched consultations to inform the final versions. This follows the implementation of the first provisions of the Data (Use and Access) Act 2025 (DUA Act), which took effect on 19-20 August.

The guidance on recognised legitimate interests is intended to help organisations use the recognised legitimate interest lawful basis in compliance with the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA18). This guidance clarifies what the new lawful basis entails, defines what constitutes a recognised legitimate interest, and outlines when and by whom it can be used. In addition, it addresses specific types of data processing, including children's data, special category data, and criminal offence data. It also covers important topics such as data sharing, automated decision-making, and the five recognised legitimate interest conditions. 

The recognised legitimate interests consultation closes on 30 October 2025.

The guidance on data protection complaints explains the new legal requirement for organisations to have a process in place for handling data protection complaints from anyone unhappy with how their personal data has been processed. Such complaints can include subject access and other rights requests, or if a personal data breach has impacted them. The guidance explains how to set up a complaints process from putting in place a complaints form through to providing an outcome and reviewing lessons learned. It also covers receiving complaints from or on behalf of children. 

The complaints handling consultation closes on 19 October 2025.

Training Announcement: Freevacy offers a range of independent data protection qualifications from IAPP and BCS. Our certified courses are available at foundation and practitioner levels and cover multiple legal jurisdictions, data protection operations management, and the implementation of complex privacy solutions in technical environments. Find out more.