What are the lawful bases for processing data?

Introducing the lawful bases

Whether your organisation is a law firm, a restaurant, or a university, chances are you can’t avoid processing personal data. Collecting and using people’s personal information is usually essential to running a business or providing a service, so it’s your organisation’s responsibility to make sure it’s being done fairly, legally, and transparently.

One major thing to consider first is whether there’s a lawful justification for processing the data in the first place.

Does your processing fall under any of the lawful bases?

 

The UK GDPR lays out seven key principles upon which the way personal data is processed should be built, including that any data processed must be done so “lawfully, fairly and in a transparent manner”. By processing personal data without a lawful basis, you’re in breach of this very principle.

So, are you grabbing people’s names, phone numbers, and email addresses without any basis to do so? Or are you processing personal data legally, under one of the six lawful bases?

What are these bases?

The six lawful bases, plainly laid out in Article 6 of the UK GDPR, are to be carefully considered. At least one has to apply to the personal data that your organisation processes. The lawful basis (or bases) that apply to you must be stated in your privacy notice, so make sure you stick it in there.

The lawful bases are:

 

  • Consent
  • Contract
  • Legal obligation
  • Vital interests
  • Public task
  • Legitimate interests
Data Protection and Digital Information (No. 2) Bill (DPDI)

Consent

If the data subject has given consent for his or her personal data to be processed, then it’s legal to do so. So long as the subject has been given a genuine choice and has agreed to the processing of their data, this lawful basis will apply.

With that said, this consent should be easy for the subject to withdraw, because everyone has the right to have full control and flexibility over how their personal information is used. It’s therefore fair, and should be easy, for a data subject to reverse this permission at any time. Evidence of any consent received should be kept – who it’s from, when it was given, how it was received, and what they consented to.

Consent is only legitimate if:

 

  • It is informed; it must be clear to the subject what they’re consenting to.
  • The consent given is explicit, confirmed in words – this must be a clear and specific statement.
  • Consent is obtained for each thing, separate from other terms and conditions, as opposed to vague or “blanket” consent.
  • It explicitly covers the name of the controller, the types of processing activity, and the purposes of processing the data.
  • It is easy to understand, to the point, and user-friendly.
  • It is given through a “positive opt-in”, e.g., not unticking a ticked box.
  • It is as easy to withdraw as it was to give.

 

Contract

If processing somebody’s personal data is necessary in order to meet your obligations as part of a contract with the subject, this is also considered a legitimate purpose. This also applies if you’re entering into a contract with them and they’ve asked you to carry out steps that involve the processing of their data. This doesn’t necessarily need to be a formal legal document, as even an oral statement applies.

However, if there are other ways to meet your contractual obligations that don’t involve processing the subject’s data, then this lawful basis does not apply, and you’ll instead need to find a different justification. Failing that, you legally cannot proceed.

 

Legal obligation

Similarly, if the processing of this personal data is the only way for you to meet a legal obligation, you may do so. You’ll need to provide evidence in the form of either a document that sets out what legal obligation you have, or by identifying what specifically you’re complying with.

An example of how this can be applied is if an employer is disclosing employee salary details to HMRC. The processing of this personal data is therefore necessary to carry out a legal obligation.

 

Vital interests

If the processing of someone’s personal data will protect a person’s life (not necessarily the data subject), then you may legally process it. This basis mostly applies to emergency medical treatment.

The UK GDPR states that this lawful basis should only apply if no other bases can be applied to the situation. For example, if consent can be sought, this basis cannot be relied upon.

 

Public task

If the processing is necessary to perform tasks in the public’s best interest, or to exercise authority, then it is permitted. So long as these purposes are laid down by law, this is an acceptable reason.

This lawful basis is most relevant to public authorities, but as long as your organisation exercises public authority or carries out tasks in the public interest, then this lawful basis can apply to your data processing. While a specific statutory power is not necessary, your underlying task must have a basis in law.

However, it’s specified that for this lawful basis to apply, it must be absolutely necessary to process the data to complete the aforementioned tasks. This must be demonstrable. If there are other, less intrusive ways to achieve these results, this basis doesn’t apply.

 

Legitimate interests

Finally, the most flexible basis is legitimate interests. This basis applies if the processing of the subject’s personal data is the only way to achieve a result in the interest of either you, or a third party. But while this basis seems to give the most freedom, it’s one that comes with a lot of responsibility. If you rely on this basis to use somebody’s personal information, you must ensure that the interests in question are acceptable.

This basis is most likely to apply if the reason for processing is one that the subject would reasonably expect. It’s also best if there’s only a minor impact on their privacy.

To determine whether you have a legitimate interest, you can perform a legitimate interest assessment, which you should then keep a record of. Then, if you need to demonstrate your compliance, you can do so.

Which lawful basis applies to me?

To decide under which lawful basis your data processing lies, you must consider why it’s being carried out. What’s the desired outcome? How is the data being used? Consider your purposes and from there, determine which of these bases, if any, fit those purposes. If you find that more than one basis applies, these must all be documented from the beginning.

Odds are, if your lawful basis isn’t made immediately clear by the circumstances, then you may be relying on legitimate interests or consent.

The ICO’s website has a handy interactive guidance tool which can help you determine your lawful basis if you’re struggling. It must be stressed, though, that if you still cannot identify one, you cannot proceed with the processing of the data.

The importance of the lawful bases

It’s extremely important to identify a valid lawful basis before any processing commences, and to document this from the start. By processing personal data without the application of a lawful basis, you’d be in breach of the UK GDPR, and your organisation can be fined.

It’s thus crucial that you consider carefully the data your organisation is processing, the reasons for doing so, and whether these reasons are legal and fair. You don’t want to face unwanted consequences for a simple error or oversight.

We understand that this can all be confusing and scary, especially considering the potential consequences of a mistake in this area. We at DPAS provide a range of services to help take some of the burden off your shoulders. By booking a consultation with us, you’ll receive expert advice from professionals who have years of experience in the industry.

Check out our services here.

related posts

Jack Penaligon

How to Respond to a Data Breach: A Practical Guide

This blog provides an overview of the practical steps organisations can take to reduce the impact of a data breach once it has been identified. It focuses on the actions that should be taken during the early stages of an incident to contain the breach, protect affected individuals, and meet regulatory requirements.

The article discusses a range of mitigation measures, including contacting unintended recipients of personal data, securing the deletion or recovery of exposed information, isolating compromised systems, and maintaining clear records of actions taken. It also explores the challenges posed by both digital and physical data breaches, highlighting the importance of balancing operational needs with data protection obligations.

Finally, the blog emphasises the value of preparation, explaining how established procedures, communication templates, and predefined response plans can help organisations respond more effectively and demonstrate accountability during a regulatory investigation.

Read More »
Noah de Wild

How to Assess a Data Breach: A Practical Guide

This blog explains how to assess a data breach by identifying its cause, determining what information was exposed, and evaluating the potential impact on affected individuals and the organisation. It outlines common causes of breaches, the importance of understanding the type and scale of compromised data, and how assessing the timeline of an incident can help businesses respond effectively, meet legal obligations, and reduce long-term risks.

Read More »
Noah de Wild

Don’t Panic: A Pragmatic Guide to the June 2026 Enforcement of the Data (Use and Access) Act Changes

With the June 19, 2026 enforcement of the Data (Use and Access) Act approaching, ensuring your business is compliant doesn’t have to be complicated or expensive. In our latest guide, we break down exactly what the new data protection complaint rules mean for you. Cut through the noise and discover our simple, free six-step checklist to update your protocols, designate handlers, and keep your business confidently compliant.

Read More »

Get a Free Consultation