To comply with the General Data Protection Regulation (GDPR), you must identify the purpose and the lawful basis for processing personal data.
There are six available lawful basis for processing personal data under the GDPR.
Conditions for processing data under GDPR
The lawful bases span:
- Consent - the individual agrees to you processing their personal data for a specific purpose. See more on consent.
- Contract - when processing is necessary for you to meet contractual obligations or to take steps to enter into a contract (eg provide a quote). See lawful basis for contract.
- Legitimate interest - when processing occurs to satisfy a legitimate interest - your own or that of a third party (eg commercial interest). To rely on this ground, you must identify the interest, show that the processing is necessary to achieve it, and balance it against the individual's interests, rights and freedoms.
- Vital interests of a person - when processing is necessary to protect someone's life. See vital interests basis.
- Public task - when processing is necessary for you to perform a task in the public interest or your official function, both of which must have a clear basis in law. Find out more on public task basis.
- Legal obligation - when processing is necessary for you to comply with the law. This excludes contractual obligations. See more on lawful basis for legal obligations.
Most lawful bases require that processing is 'necessary'. If you can reasonably achieve the same purpose without the processing, it is unlikely that you will have a lawful basis.
What is your legal basis for processing personal data?
As part of your GDPR data audit, you should review your processing activities and select the most appropriate lawful basis, or bases (if more than one apply), for each activity.
At least one of these six legal bases must apply in order for processing to be lawful. If you have no legal grounds for processing, it will be unlawful.
You have to explain your legal basis for processing in your privacy notice, and when dealing with subject access requests. To comply with the GDPR accountability principle, you must be able to demonstrate that a lawful basis applies.
Choosing your legal basis
When choosing your legal basis, make sure that you:
- check that the processing is necessary for the relevant purpose
- check that there is no other reasonable way to achieve this purpose
- document why you chose a particular lawful basis – to demonstrate compliance
- explain the purpose and the lawful basis for processing in your privacy notice
- identify and document legal basis for any special category data or criminal offence data
Where you complied with the Data Protection Act before, your legal basis is likely to be the same as your existing condition for processing. You can choose a new lawful basis if:
- you find that your old condition for processing is no longer appropriate under the GDPR
- you decide that a different basis is more appropriate
Commercial businesses may typically seek to rely on consent, contractual obligation and/or legitimate interests as legal bases for processing personal data. Much will depend on what kind of processing you intend to do or whether you want to process the data for another purpose.
The Information Commissioner's Office (ICO) has produced an interactive tool to help you determine which lawful basis is likely to be most appropriate for your processing activities. Use the ICO's lawful basis interactive guidance tool.
It's worth noting that, in some cases, your choice of the legal basis may determine which rights are available to your data subjects. For example, consent will often provide the broadest set of rights individuals can evoke against you. See data subject rights under the GDPR.
This guide aims to help you understand GDPR and your obligations under the law, but it does not constitute legal advice. For definitive legal guidance, see the ICO's guide on GDPR or consider getting independent legal advice.