Purpose limitation reimagined: The ICO's 2026 guidance on reuse of personal data

The Information Commissioner's Office (ICO) updated its guidance on purpose limitation and the reuse of personal data on 23 March 2026. It is the authoritative interpretive layer sitting on top of one of the most significant structural reforms to UK data protection law since the UK GDPR took effect: Section 71 of the Data (Use and Access) Act 2025 (DUAA), which amends Article 5(1)(b), inserts a new Article 8A, and introduces Annex 2 via Schedule 5.

For General Counsel, Data Protection Officers and Chief Compliance Officers, the guidance signals a move from risk-averse minimisation toward a more structured framework for purposeful reuse. That is, in commercial terms, a permission to do more, but in legal terms, an invitation to misread the architecture. The most expensive mistakes in 2026 will not be made by organisations that hesitate, but by those that treat the new framework as a green light when it is a more sophisticated traffic system.

The legislative architecture: Section 71 and Article 8A

Section 71 DUAA amends Article 5(1)(b) of the UK GDPR to clarify that the purpose limitation principle applies to data "collected (whether from the data subject or otherwise)" and further processed "by or on behalf of a controller." The drafting expressly captures data obtained from third parties or public sources, providing welcome clarity in an era of large-scale data acquisition.

Sitting alongside this, the new Article 8A codifies the framework for further processing. It replaces what had previously been a patchwork of recitals and case-by-case guidance with a statutory compatibility test. Where a controller proposes to reuse personal data for a purpose other than that for which it was collected, and the reuse does not fall within Annex 2, the controller must conduct a compatibility assessment that takes into account:

• The link between the original and proposed purposes

• The context of collection, including the relationship with the data subject and the degree of reasonable expectation

• The nature of the data, with elevated scrutiny for special category and criminal offence data

• The consequences for data subjects, both intended and foreseeable

• The appropriate safeguards, including pseudonymisation, encryption and access controls.

This is, in practice, a documentation regime. The compatibility assessment is now the defensible audit trail that controllers will be expected to produce when challenged - by a regulator, a claimant, or a counterparty in M&A diligence.

The first blind spot: Compatibility is not lawfulness

The most consequential single sentence in the new framework is found in Section 71(3), which provides "for the avoidance of doubt" that processing is not made lawful solely because it is compatible with the original purpose. A valid Article 6 lawful basis must still be identified.

This will be missed. The elegance of Annex 2 (discussed below) creates psychological gravity toward conflating two distinct legal questions:

1. Is the new purpose compatible with the original? (Article 5(1)(b))

2. Is there a lawful basis for the new processing? (Article 6).

These are independent gates. Both must open.

Consent-based data: The narrower repurposing path

The ICO guidance is particularly strict on data originally collected on the basis of consent under Article 6(1)(a). Where the original lawful basis is consent, the controller's options for reuse are narrower. The new purpose is generally only compatible where:

• The data subject gives fresh, specific consent for the new purpose

• The processing is to ensure or demonstrate compliance with a data protection principle

• The processing meets a condition in Annex 2 and obtaining new consent is not reasonable, or

• The processing is necessary to safeguard a public interest objective listed in Article 23(1)(c) to (j) of the UK GDPR and is authorised by law, and obtaining new consent is not reasonable.

The commercial implication is significant. Marketing databases, loyalty programmes and product analytics datasets built on consent are not freely re-purposable, however operationally tempting that may be. Where the original consent was specific, controllers should expect the ICO's threshold for "compatible" reuse to be correspondingly tight.

Annex 2: Presumptive compatibility, not a complete safe harbour

The introduction of Annex 2 is the headline purpose limitation reform. It identifies specified circumstances in which further processing is to be treated as compatible with the original purpose of collection, removing the need for a bespoke compatibility assessment. The conditions, as set out in the ICO's guidance, are:

The Secretary of State retains the power to amend Annex 2 by regulation, subject to the affirmative procedure. The list is not static, and organisations operating in adjacent fields should monitor proposed amendments carefully.

The critical practitioner point: Annex 2 collapses the compatibility analysis for specified purposes; it does not provide a complete compliance safe harbour. Controllers relying on it should still document (i) why the condition applies, (ii) what Article 6 lawful basis supports the new processing, (iii) whether a DPIA is triggered under Article 35, and (iv) what transparency obligations arise under Articles 13 and 14.

A connected point worth flagging: several Annex 2 conditions overlap conceptually with the Recognised Legitimate Interest conditions in Annex 1 (introduced by the same Act under a separate ICO guidance stream). The ICO's view is that, where an Annex 2 compatibility condition applies, the corresponding Annex 1 condition may often provide the appropriate Article 6 lawful basis. The two instruments are designed to work together, but they answer different questions: Annex 1 supplies the lawful basis, Annex 2 supplies the compatibility.

Special category and criminal offence data

The guidance reinforces that the compatibility framework does not displace the additional protections for sensitive data. Where reuse involves special category data under Article 9, controllers must continue to identify a condition for processing under Article 9. The same applies to criminal offence data under Article 10. A finding that the new purpose is compatible, or that it falls within Annex 2, does not relieve the controller of these obligations. In practice, this means that the most sensitive reuse cases face a triple gate: compatibility, lawful basis, and a sensitive data condition.

Strategic recommendations

For senior legal and compliance functions, the operational priorities flowing from the purpose limitation guidance are:

• Reconstruct data inventories around purposes, not datasets. The compatibility assessment is purpose-led; legacy data maps organised by system or data type will not support it.

• Build a standardised compatibility assessment template capturing the five statutory factors in Article 8A. Integrate it with DPIA processes where Article 35 thresholds are triggered.

• Audit consent-based datasets for repurposing risk. Marketing, loyalty and product analytics datasets often carry consent-flagged provenance that constrains reuse more tightly than controllers assume.

• Document Annex 2 reliance properly. A note that records the relevant condition, the lawful basis, the DPIA position and the transparency steps is the minimum defensible posture.

• Treat special category and criminal offence reuse with particular care. The compatibility framework does not soften the Article 9 and 10 thresholds, and these cases warrant tailored documentation.

Our views

The purpose limitation reforms are not a deregulation. They are a redistribution of complexity. The principle has been clarified and, in defined areas, simplified. In exchange, controllers carry a heavier evidentiary burden - compatibility assessments, documented Article 6 analyses, and DPIAs that integrate the new architecture.

The organisations that succeed under this regime will be those that recognise the new framework for what it is: a structured invitation to do more with data, conditional on the discipline to document why.