Legitimate interest is one of the six lawful bases for using personal data under the UK GDPR, and the most flexible of them. It lets you process data for a genuine business reason without asking for consent, as long as that reason doesn't override the interests of the people involved. The flexibility is useful, but it comes with a test you have to apply and be able to show.

This guide explains what legitimate interest is, how the three-part test works, when it's the right basis, and when to reach for a different one.

What is legitimate interest?

It's the lawful basis you can rely on when you process personal data for a purpose a person would reasonably expect, where that processing is necessary and doesn't cause them unwarranted harm. Unlike consent, it doesn't need the person to opt in, and unlike contract or legal obligation, it isn't tied to a single specific trigger. That breadth is why it suits ordinary, expected business activities, and also why it needs a check to stop it becoming a catch-all.

The three-part test

Before relying on legitimate interest you should work through three questions, often called a legitimate interests assessment:

1. Purpose. Is there a real, specific interest behind the processing, whether yours or a third party's? "Running our business" is too vague; "preventing fraud on our checkout" is not.
2. Necessity. Is the processing actually needed to achieve that purpose, or could you reach it in a less intrusive way? If a lighter option works, legitimate interest doesn't cover the heavier one.
3. Balance. Do the person's interests, rights, and reasonable expectations override your interest? This is the part that decides it, and it turns on whether the processing would surprise or harm them.

If the balance comes down against the individual, legitimate interest isn't available, and you need a different basis or a different approach.

When it works well

Legitimate interest is a natural fit for processing people expect and that carries low risk to them: preventing fraud, keeping your network and systems secure, basic administration within a group of companies, and some marketing to existing customers. In each case the activity is ordinary, the person wouldn't be surprised by it, and the data use is proportionate to the aim.

When to use a different basis

Reach for another basis where the processing is intrusive, unexpected, or aimed at children, and where you already have a cleaner option. If you genuinely need someone's permission, use consent rather than stretching legitimate interest to avoid asking. Marketing by electronic means also has separate rules under PECR that sit on top of your lawful basis. And legitimate interest can't, on its own, justify processing special category data such as health or ethnicity, which needs an additional condition. When the balancing test is close, that's a signal to choose a clearer basis, not to push ahead.

Write it down

The thing that turns legitimate interest from a risk into a defensible choice is a short record of your assessment: the interest, why the processing is necessary, and how the balance came out. It doesn't need to be long. If a customer or the ICO ever asks why you relied on legitimate interest, that record is your answer.

Legitimate interest is one piece of the wider picture covered in our guide to GDPR for small businesses. If you'd like help choosing and documenting the right lawful basis across your processing, our GDPR compliance service covers it as part of the project.