UK General Data Protection Regulation (UK GDPR)

Lawful basis for processing of personal data

Guide

To comply with the UK General Data Protection Regulation (UK GDPR), you must have a valid lawful basis in order to process personal data.

There are six available lawful bases for processing. At least one of these must apply whenever you process personal data. Your purpose and relationship with the individual will dictate which basis will be most appropriate to use.

Conditions for processing data under the UK GDPR

The lawful bases for processing include:

  • Consent - when the individual gives clear consent for you to process their personal data for a specific purpose. See more on obtaining and managing consent.
  • Contract - when processing is necessary to deliver a contractual service to an individual, or because they have asked you to do something before entering into a contract (eg provide a quote). See more on contracts.
  • Legal obligation - when processing is necessary for you to comply with a common law or statutory obligation (not including contractual obligations). To rely on this ground, you should be able to either identify the specific legal provision or an appropriate source of advice or guidance that clearly sets out your obligation. See more on legal obligation.
  • Vital interests - when processing is necessary to protect someone's life. However, you cannot rely on vital interests for health data or other special category data if the individual is capable of giving consent, even if they refuse their consent. See more on vital interests.
  • Public task - when processing is necessary for you to perform a task in the public interest or for your official functions, both of which have a clear basis in law. This is most relevant to public authorities, but it can apply to any organisation that exercises official authority or carries out tasks in the public interest. See more on public task.
  • Legitimate interest - when processing is necessary to satisfy your own (or third party's) legitimate interest. It is likely to be most appropriate where you use people's data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing. To rely on this ground, you must identify the interest, show that the processing is necessary to achieve it, and balance it against the individual's interests, rights and freedoms.

Most lawful bases require that processing is 'necessary' for a specific purpose. In this sense, necessary means more than just useful, and more than just standard practice. It must be a targeted and proportionate way of achieving a specific purpose. If you can reasonably achieve the same purpose without the processing, it is unlikely that you will have a lawful basis.

Why must you have a lawful basis for processing?

If no lawful basis applies to your processing, your processing will be unlawful and in breach of the first principle of the UK GDPR.

The lawful basis for your processing can also affect which rights are available to individuals. For example, consent will often provide the broadest set of rights individuals can evoke against you. You must give them information about your lawful basis for processing in order to comply with the individual's right to be informed.

Deciding which lawful basis applies

You must determine your lawful basis before you begin processing. Your basis will depend on your specific purposes and the context of the processing. You should:

  • check that the processing is necessary for the relevant purpose
  • check that there is no other reasonable way to achieve this purpose
  • document why you chose a particular lawful basis - to demonstrate compliance
  • explain the purpose and the lawful basis for processing in your privacy notice

If you're processing special category data or criminal offence data, you must identify and document both a lawful basis for processing and a special category condition for processing in compliance with the UK GDPR.

Commercial businesses may typically seek to rely on consent, contractual obligation and/or legitimate interests as legal bases for processing personal data. Much will depend on what kind of processing you intend to do or whether you want to process the data for another purpose.

You can use the ICO's interactive guidance tool to help you decide which lawful basis is likely to be most appropriate for your processing activities.

Can you switch lawful basis for processing?
It's important to determine your lawful basis correctly the first time. You should not swap to a different lawful basis at a later time without good reason. Switching lawful basis retrospectively is likely to be inherently unfair to the individual and can lead to breaches of accountability and transparency requirements.

If your purposes change over time or you have a new purpose which you did not originally anticipate, you may not need a new lawful basis as long as your new purpose is compatible with the original purpose. If you do need a new purpose, you will need to consider whether processing is fair and transparent, inform the individual about it, and document the change.

Documenting lawful basis

To satisfy the UK GDPR's accountability principle, you must keep a record of:

  • which basis you are relying on for each processing purpose
  • a justification for why you believe the basis applies

There is no standard form for this, but you must ensure that what you record sufficiently demonstrates that a lawful basis applies. Documenting will help you comply with accountability obligations, and will also help you when writing your privacy notices.

Find out more about documentation requirements in our guidance on accountability.

This guide does not constitute legal advice and is provided for general information purposes only.