Before you process any personal data, you need a valid reason to do so. Under both the EU GDPR and UK GDPR, that reason must be one of six "lawful bases" set out in Article 6. Choosing the right one isn't just a compliance tick-box—it affects individuals' rights and your obligations as a data controller.
Why Lawful Basis Matters
The lawful basis you rely on determines several important factors:
- Data subject rights: Some rights only apply to certain lawful bases. For example, the right to data portability only applies to processing based on consent or contract.
- Transparency requirements: You must tell individuals which lawful basis you're relying on in your privacy notice.
- Your ongoing obligations: Consent can be withdrawn at any time, whereas contract-based processing continues as long as the contract is in force.
- Regulatory scrutiny: The ICO will examine whether you've chosen an appropriate lawful basis and documented your reasoning.
Key Principle
You must determine your lawful basis before you start processing and document it. You cannot retrospectively change your lawful basis without good reason, and doing so is likely to be viewed with suspicion by regulators.
The Six Lawful Bases
Article 6(1) of the GDPR sets out six lawful bases. No single basis is inherently "better" or more important than the others—the appropriate choice depends on your specific purpose and relationship with the individuals concerned.
1 Consent
The individual has given clear, affirmative consent for you to process their personal data for a specific purpose.
Consent under GDPR must be:
- Freely given: There must be genuine choice with no imbalance of power
- Specific: Consent must be given for each distinct processing purpose
- Informed: The individual must know what they're agreeing to
- Unambiguous: Consent requires a clear affirmative action (no pre-ticked boxes)
✓ Strengths
- Gives individuals maximum control
- Clear and transparent
- Required for certain processing (e.g., marketing emails under PECR)
✗ Challenges
- Can be withdrawn at any time
- Difficult where power imbalance exists
- Requires robust record-keeping
Best for: Marketing communications, optional services, research participation, sharing data with third parties.
2 Contract
Processing is necessary for the performance of a contract with the individual, or to take steps at their request before entering into a contract.
This basis only covers processing that is genuinely necessary for the contract. It doesn't automatically cover everything you might want to do with customer data—only what's objectively required to fulfil your contractual obligations.
✓ Strengths
- Clear and straightforward
- Cannot be "withdrawn" like consent
- Easy to explain to individuals
✗ Challenges
- Limited to what's truly necessary
- Must have actual contract (not just terms of service)
- Only applies to parties to the contract
Best for: Delivering products/services, processing payments, providing customer support, pre-contractual enquiries.
3 Legal Obligation
Processing is necessary to comply with a legal obligation to which you are subject (other than a contractual obligation).
This applies where UK or EU law requires you to process certain data. You should be able to identify the specific legal provision that creates the obligation.
✓ Strengths
- Clear legal grounding
- Individuals cannot object
- Straightforward to document
✗ Challenges
- Must identify specific legal provision
- Limited to what the law requires
- Doesn't cover "nice to have" processing
Best for: Employment law requirements, tax reporting, anti-money laundering checks, regulatory reporting.
4 Vital Interests
Processing is necessary to protect someone's life. This is sometimes called the "life or death" basis.
This basis is narrow and typically only applies in emergency situations where the individual cannot give consent. It's not appropriate for general healthcare processing.
✓ Strengths
- Covers genuine emergencies
- Can apply to any individual's vital interests
- Clear ethical justification
✗ Challenges
- Very narrow application
- Cannot use if another basis applies
- Rarely appropriate for routine processing
Best for: Medical emergencies, disaster response, safeguarding situations where consent cannot be obtained.
5 Public Task
Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in you.
This basis is most relevant for public authorities and bodies, though private organisations can use it where they exercise official authority or perform tasks in the public interest established by law.
✓ Strengths
- Appropriate for public sector functions
- Covers statutory duties
- Basis in law provides clarity
✗ Challenges
- Must have clear basis in law
- Individuals have right to object
- Limited application for private sector
Best for: Public authority functions, official duties, tasks established by law, some journalism and research.
6 Legitimate Interests
Processing is necessary for your legitimate interests or those of a third party, unless overridden by the individual's interests, rights, or freedoms.
This is the most flexible basis but requires a three-part test known as a Legitimate Interests Assessment (LIA):
- Purpose test: Is there a legitimate interest behind the processing?
- Necessity test: Is the processing necessary to achieve that interest?
- Balancing test: Do the individual's interests override your legitimate interest?
✓ Strengths
- Flexible and adaptable
- Doesn't require consent
- Appropriate for many business purposes
✗ Challenges
- Requires documented LIA
- Individuals have right to object
- Not available to public authorities for core tasks
Best for: Fraud prevention, network security, direct marketing (with opt-out), intra-group data sharing, analytics.
Choosing the Right Basis
Selecting the appropriate lawful basis requires careful consideration of your specific circumstances. Here's a practical approach:
- Identify your purpose: What exactly are you trying to achieve? Be specific.
- Consider the relationship: What is your relationship with the individuals? Are they customers, employees, or members of the public?
- Review each basis: Work through each of the six bases and consider whether it could apply.
- Document your decision: Record which basis you're relying on and why.
- Inform individuals: Update your privacy notice to include the lawful basis for each processing activity.
Special Category Data
If you're processing special category data (such as health data, biometric data, or data revealing racial origin), you need both a lawful basis under Article 6 and a separate condition under Article 9. This includes additional conditions such as explicit consent, employment law obligations, or substantial public interest.
Common Mistakes to Avoid
Based on ICO enforcement actions and guidance, here are pitfalls to watch out for:
- Defaulting to consent: Consent isn't always the best option, especially where there's a power imbalance or where you need to process the data regardless of consent.
- Overstretching contract: Processing must be necessary for the contract, not merely useful or mentioned somewhere in your terms.
- Ignoring the balancing test: For legitimate interests, you must genuinely weigh the individual's interests against your own—don't just assume your interests win.
- Failing to document: Whatever basis you choose, you need to be able to demonstrate your reasoning to regulators.
- Changing basis inappropriately: You generally can't switch lawful basis after the fact, especially to avoid giving effect to data subject rights.
Practical Resources
The ICO provides several helpful tools for determining your lawful basis:
- Lawful Basis Interactive Guidance Tool — An interactive questionnaire to help identify appropriate bases
- Legitimate Interests Assessment Template — A template for documenting your LIA
- ICO Guidance on Lawful Basis — Comprehensive guidance on each of the six bases
Conclusion
Choosing the right lawful basis is fundamental to GDPR compliance. Take time to understand each basis, document your decisions carefully, and remember that the goal is to process personal data fairly and transparently.
If you're unsure which basis applies to your processing activities, consider seeking advice from your Data Protection Officer or a qualified privacy professional. Getting this right from the start will save significant time and potential regulatory issues down the line.
"The lawful basis you choose affects which rights are available to individuals. So it's important that you get it right."
— Information Commissioner's Office