The Data Use and Access Act 2025 (DUAA) amends the GDPR and UK data protection laws. Changes are being phased in between June 2025 and June 2026. For organisations, the biggest update for Article 6 of the GDPR is the introduction of a new lawful basis called recognised legitimate interests. This is a separate basis from standard legitimate interests and applies only to pre-approved public-interest purposes.
In practical terms, the new Article 6(1)(ea) basis can be used for:
- Safeguarding “vulnerable” people
- Responding to emergencies
- Preventing or investigating crime;
- National security, public security and defence
- Sharing personal information with an organisation that needs it for their public task or function at their request
Unlike standard legitimate interests, there is no additional balancing test, but the processing must still be necessary and proportionate, and organisations still need to comply with the rest of the UK GDPR.
The DUAA also defines some examples of processing data for a legitimate interests lawful basis. These are direct marketing, intra-group transfers for administrative purposes, and network and information systems security. It also clarifies that the public task basis applies to an organisation’s own tasks, so organisations supporting a public authority may need to rely on another lawful basis instead.
For organisations reviewing their lawful bases under Article 6 of the GDPR, the key message is simple: check whether your processing now fits recognised legitimate interests, confirm that your chosen basis is still necessary, and update your privacy information accordingly.