UK GDPR lawful bases are the foundation for any lawful processing of personal data, and getting them right is essential for compliance.
Article 6 of the UK GDPR sets out six bases, and your organisation must identify and document at least one before processing any personal data. This guide explains each basis with practical examples to help you determine which applies to your activities. Where your processing involves more complex assessments – such as legitimate interest or special category data – our data protection solicitors can help you navigate your obligations, complete risk assessments like LIAs and DPIAs, and ensure your approach meets regulatory expectations.
Jump to:
Lawful Bases
Consent
This is where the data subject has freely given, specific, informed and unambiguous indication of their wishes, by which they, by a statement or an explicit affirmative action, signify agreement to the processing of personal data relating to them.
Often, organisations believe this is the easiest lawful basis to rely on, as it doesn’t require much thought and is very easy to obtain. This could not be further from the truth. In fact, consent is one of the most complex lawful bases to rely on. Unfortunately, many employers have historically relied on consent while failing to consider the imbalance in the relationship between an employer and an employee. In 2019, the Greek Data Protection Authority (GDPA) (the Supervisory Authority of Greece; equivalent to the ICO) fined PwC €150,000 for unlawfully using consent to process its employees’ personal data. The GDPA took heed from the Article 29 Working Party Guidelines on consent, which states “…given the dependency that results from the employer/employee relationship, it is unlikely that the data subject can deny their employer consent to data processing without experiencing the fear or real risk of detrimental effects as a result of a refusal. It is unlikely that an employee would be able to respond freely to a request for consent from their employer to, for example, activate monitoring systems such as camera observation in a workplace, or to fill out assessment forms, without feeling any pressure to consent…”
A good example of using consent as a lawful basis would be where the Talent function of your organisation wishes to retain a candidate’s personal data in case of future suitable job opportunities, when there is no offer of employment. This is where consent should be sought and reconfirmed after a specified period has elapsed. If, later, that particular candidate wishes, they may request that their personal data be deleted from the database, thereby withdrawing consent.
If you rely on consent, it’s also essential to keep proper records, as stipulated by Article 7(1); “…where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of their personal data…”
Performance of contract
This is where processing is necessary for the performance of a contract to which the data subject is a party, or for taking steps at the request of the data subject before entering into a contract.
The following are examples where the performance of a contract may be an appropriate lawful basis:
- Billing information to supply services to an individual
- To fulfil an employer’s obligation as a controller under an employment contract with said employee
- An insurance company is processing personal data to prepare a quotation
The ICO guidance provides the following as examples where the performance of a contract would not be an appropriate lawful basis;
- If you need to process one person’s details, but the contract is with someone else.
- If you collect and reuse personal data for your own business purposes, even if this is permitted under your standard contractual terms and is part of your funding model.
- If you take pre-contractual steps on your own initiative, to meet other obligations, or at the request of a third party.
The European Data Protection Board (EDPB) has issued guidelines on the processing of personal data under the lawful basis of performance of a contract. However, this is in the context of the provision of online services to data subjects.
Legitimate interest
This is where processing is necessary for the controller's or a third party's legitimate interests, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject that require the protection of personal data.
Legitimate interests are probably the most flexible lawful basis. The ICO guidance states that, should an organisation rely on legitimate interests, the controller must satisfy the three-part test:
- Identify a legitimate interest;
- Show that the processing is necessary to achieve it; and
- Balance it against the individual’s interests, rights and freedoms
Your organisation would need to demonstrate that its compelling legitimate interest overrides the interests or the fundamental rights and freedoms of an individual. However, the ICO guidance also warns “…you should avoid using legitimate interests if you are using personal data in ways people do not understand and would not reasonably expect, or if you think some people would object if you explained it to them. You should also avoid this basis for processing that could cause harm, unless you are confident there is nevertheless a compelling reason to go ahead which justifies the impact…”.
In essence, if your organisation wishes to rely on legitimate interests as a lawful basis, you can use the three-part test (Found here on the ICO's website, Legitimate Interests Assessment) to assess whether it applies. An LIA is a soft risk assessment that helps to ensure your processing is lawful.
One example of where your organisation may rely on legitimate interest is if you installed CCTV to protect your premises or to prevent and detect crime. It’s necessary to conduct an LIA as it can become exasperating if processing under this lawful basis has to stop due to you not initially considering whether the processing activity could potentially override the data subjects' rights and freedoms (it may also be necessary to conduct a data protection impact assessment (DPIA) for this type of processing activity).
You should note that legitimate interest may not be suitable where it’s likely that individuals would object to the data processing under this lawful basis.
Legal obligation
You can rely on this lawful basis if you need to process the personal data to comply with a common law or statutory obligation. It means your organisation needs to process an individual's personal data to comply with the law.
A good example is processing an employee’s tax code and national insurance information so that the appropriate amount of tax can be deducted from an employee’s wages. Another would be where a production order sealed by the court is served (in this scenario, the processing activity would be sharing).
It’s important to note that contractual obligations are not legal obligations, and processing personal data to fulfil a contractual relationship would fall under the lawful basis of performance of contract, not a legal obligation. Many organisations get this wrong, as a breach of contractual obligations is a legal cause of action, with remedies that can be sought in court.
Vital interests
This is where processing of personal data should be regarded as lawful, where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person.
An example would be if a life-threatening accident occurred with one of your employees at work and they were admitted to the hospital, any medical information that could assist the hospital should be shared, as this disclosure would be necessary to protect that individual’s vital interests.
UK GDPR states that the vital interests lawful basis may apply when processing is necessary on humanitarian grounds, such as monitoring public health during an epidemic or responding to a disaster. This could include both natural events and human-caused events. It also advises that if you are processing someone’s personal data to protect another person’s life, you should consider whether another lawful basis is more appropriate, and rely on vital interests only when no other basis is available.
Public interest
This is where processing under this lawful basis of personal data is necessary for:
- the administration of justice
- the exercise of a function of either House of Parliament
- the exercise of a function conferred on a person by an enactment or rule of law
- the exercise of a function of the Crown, a Minister of the Crown or a government department, or
- an activity that supports or promotes democratic engagement
An example of processing under this lawful basis is where local authorities process an individual’s personal data to manage and enforce Traffic Regulation Orders (TROs), which is part of the local authority’s public task function.
It’s unlikely that a commercial organisation would ever rely on this lawful basis, as it’s more catered towards public authorities that perform public functions.
Does a lawful basis need to be included in your privacy policy?
In short, yes. The UK GDPR states that individuals must be informed about how your organisation processes their personal data and the lawful basis for that processing. This means you would need to include these details in your privacy policy to demonstrate that personal data is processed lawfully, fairly, and transparently.
What happens if the reason for your processing changes?
In some cases, you could probably continue to process under the original lawful basis, so long as the new purpose is compatible with your original purpose. The ICO provides a non-exhaustive list of the points you need to think about when considering if the new purpose is compatible with the original purpose, such as:
- Any link between your original purpose and the new purpose.
- The context in which you collected the data, in particular, your relationship with the individual and what they would reasonably expect.
- The nature of the personal data, e.g., whether it’s special category data or criminal offence data.
- The possible consequences for individuals of the new processing, and
- Whether there are appropriate safeguards, e.g., whether encryption or pseudonymisation,
However, if you were initially relying on consent as a lawful basis, then you would need to obtain new consent covering the new purpose in relation to the change in processing activity, as consent must always be specific and informed.
Processing special category data
This is personal data that relates to an individual’s:
- Racial or ethnic origin
- Political affiliation
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data
- Medical data
- Sex Life and Sexual Orientation
If you are processing special category data at your organisation, you need to identify a lawful basis for processing, and then a further condition under Article 9 of the UK GDPR and Schedule 1 of the Data Protection Act 2018 (if applicable).
Protect your organisation by getting the lawful basis right
Understanding which lawful basis applies to your processing activity is a core part of your UK GDPR responsibilities – and reviewing this if your purpose changes is just as significant. The ICO’s interactive guidance on lawful bases can help businesses assess which basis is most appropriate. However, we understand that it can be challenging to choose which lawful basis applies to your processing activities, and some even require risk assessments. Our experienced data protection solicitors can support you in evaluating your data practices, documenting your decisions, and conducting any necessary evaluations to ensure your compliance is robust and well-evidenced. Whether you’re dealing with consent, special category data or complex legitimate interest cases, we’re here to help protect your organisation.
