📢 On 21 August 2025, the UK Information Commissioner’s Office (ICO) opened a major public consultation on two key pieces of draft guidance under UK data protection law. If your organisation processes personal data or manages data protection complaints, this development should be high on your radar.
The consultation covers:
- A new lawful basis introduced under the Data (Use and Access) Act 2024 (DUAA): Recognised Legitimate Interest
- New requirements for handling data protection complaints, enforceable from June 2026
Below, we explore what this draft guidance means, how it might impact your compliance strategies, and why privacy professionals should engage with the consultation now.
1️⃣ Recognised Legitimate Interest: A New Lawful Basis
The DUAA introduced a new lawful basis for processing personal data in the UK: recognised legitimate interest. Unlike the existing “legitimate interests” basis under the UK GDPR, this new basis allows organisations to process data without conducting a balancing test, provided the purpose aligns with specific pre-approved conditions.
What Qualifies as a Recognised Legitimate Interest?
The ICO’s draft guidance lists five scenarios where this new basis can be used:
- Public task disclosure requests
- National/public security and defence
- Emergency response or disaster situations
- Crime prevention or detection
- Safeguarding individuals (e.g. vulnerable persons)
Key Differences from Traditional Legitimate Interests
- Organisations do not need to carry out a legitimate interests assessment (LIA) when relying on recognised legitimate interest, as long as the processing purpose matches one of the specified categories.
- Offers greater legal certainty for certain public-interest data uses, especially in sectors like policing, health, or child protection.
Why This Matters
This development could streamline compliance for organisations working in sensitive or public-interest areas. However, it may also lead to new interpretive challenges:
- Will organisations try to stretch the definitions to fit their own purposes?
- How will regulators respond to borderline cases?
Action Points for Privacy and Legal Teams
- Review existing processing activities currently relying on legitimate interests to determine if they now fall under the new recognised category.
- Update your data protection documentation, particularly privacy notices and records of processing activities (RoPAs), where applicable.
- Monitor feedback and final guidance following the consultation’s conclusion.
2️⃣ Complaints Handling Guidance: Prepare for June 2026
The ICO’s second piece of draft guidance covers how organisations should handle data protection complaints, with new mandatory requirements taking effect from June 2026.
Minimum Standards for Complaints Handling
Organisations must have a clear and accessible complaints process that:
- ✅ Allows individuals to submit complaints easily
- ✅ Acknowledges complaints within 30 calendar days
- ✅ Investigates the matter and keeps the individual informed
- ✅ Communicates the outcome without undue delay
The ICO also recommends maintaining thorough records of:
- The complaint
- Acknowledgement date
- Investigative steps taken
- Final resolution
These records may be essential for demonstrating accountability in the event of an ICO investigation or legal challenge.
Why This Guidance Is Important
Although many larger organisations already have formal complaints procedures, this guidance creates a uniform national standard. For SMEs and start-ups, it could mean building or revising internal processes well ahead of the June 2026 deadline.
Why Your Organisation Should Respond to the Consultation
The ICO’s consultation period offers a crucial opportunity for organisations to help shape the final guidance. If your organisation operates in public service, law enforcement, emergency response, or frequently receives data protection complaints, your feedback could have real impact.
Next Steps
- ✅ Review the ICO’s draft guidance on Recognised Legitimate Interest and Complaints Handling
- ✅ Submit feedback before the consultation closes
- ✅ Brief your data protection officer (DPO), legal team, and compliance stakeholders to evaluate how these changes affect you
Final Thoughts: Compliance Simplified – or More Grey Areas?
The new recognised legitimate interest basis could provide welcome clarity and reduce compliance burden for certain sectors. However, it may also create new grey areas for interpretation and enforcement.
Similarly, while the complaints guidance helps standardise expectations, it will require proactive planning and resourcing ahead of the 2026 deadline.
🛡️ Stay Ahead of the Curve
With UK data protection law evolving under the DUAA, now is the time to assess your organisation’s readiness, provide input on draft guidance, and start planning for changes ahead.
How to contact us
01775 660506
#DataProtection #ICO #UKPrivacyLaw #DUAA #RecognisedLegitimateInterest #ComplaintsHandling #ComplianceUK #GDPRUK #PrivacyProfessionals #DPO
