"Legitimate interest" is a good legal basis for processing that is required for the organisation to function, but there are considerations to take into account.
Firstly, the actual interest must be clear, for example to create a good user experience, protect assets, preventing fraud, internal administration etc. This will be normally expressed in the purpose of processing in the privacy notice.
The data processed must be required for the legitimate interest and there should be no less privacy intrusive way to achieve the same interest.
Processing must observe all the basic privacy principles including transparency, purpose, data minimisation, accuracy etc.
Finally, it must be shown that there are no overriding privacy interests of the individual that are more important than the legitimate interest of the organisation. Although in most cases this will not be a problem when analysing:
a) what are the risks to the individual?
b) what are the reasonable expectations of privacy the individuals might have?
It can be a more complex judgment in some cases, for example the use of photos.