Under the UK GDPR, organisations must have a valid legal reason before processing personal data. This legal reason is called a lawful basis, and choosing the right one matters because it affects transparency, individual rights, accountability, and whether the processing is lawful in the first place.
Under the UK GDPR, organisations must identify a valid lawful basis before processing personal data. The six lawful bases are consent, contract, legal obligation, vital interests, public task, and legitimate interests. The right basis depends on the purpose of the processing, not simply what feels easiest to use.
Main rule
You need a lawful basis before processing personal data
Six bases
Consent, contract, legal obligation, vital interests, public task, legitimate interests
Why it matters
The basis affects rights, notices, records, and accountability
A lawful basis is not something to choose after the processing has already started. It should be identified before personal data is collected, used, shared, stored, or otherwise processed. The ICO explains that organisations should be clear about their lawful basis from the start and document it properly.
The lawful basis should match the real purpose of the processing. It should not be selected later to justify a decision that has already been made.
Lawful basis decisions should be recorded as part of wider compliance governance, including privacy notices, data mapping, and records of processing.
This is closely connected to accountability and transparency, because organisations must be able to explain what they are doing and why.
Article 6 of the UK GDPR sets out the six lawful bases for processing personal data. Each one has a different purpose, and organisations should choose the basis that genuinely fits the activity.
Consent may apply where the individual has a genuine choice and gives a clear, informed, specific indication that they agree to the processing.
Legal obligation may apply where the organisation needs to process personal data to comply with a legal duty that applies to it.
Vital interests is usually limited to situations where processing is necessary to protect someone’s life or physical safety.
Public task may apply where processing is necessary for a task carried out in the public interest or under official authority.
The right lawful basis depends on the specific purpose of the processing. It is not always the basis that gives the organisation the most flexibility, and it should not be changed later without careful consideration.
A good lawful basis decision starts with the purpose. For example, payroll, customer orders, legal compliance, marketing, analytics, and safeguarding may each raise different questions.
The lawful basis can affect which rights apply and how they operate. For example, consent can be withdrawn, while legitimate interests gives individuals a right to object.
Ask what you are doing, why you are doing it, whether it is necessary, what the person would expect, and what rights or risks are involved. Then document the basis clearly and reflect it in your privacy information.
The easiest way to understand lawful basis is to apply it to everyday processing activities. These examples are simplified, but they show how different purposes can point to different legal grounds.
Payroll may involve legal obligation, contract, or both, depending on the specific processing purpose and the requirement being met.
Marketing may involve consent or legitimate interests under UK GDPR, but PECR may also apply to the communication channel.
Processing needed to fulfil a customer order may often rely on contract, while related analytics or marketing may need a different basis.
Security monitoring may often involve legitimate interests, provided the processing is necessary, proportionate, and clearly explained.
If the lawful basis is wrong, the rest of the compliance structure can weaken around it. That can affect transparency, individual rights, retention, records, accountability, and whether the processing is lawful at all.
This article is based on ICO guidance on lawful basis under the UK GDPR, together with the UK GDPR provisions that require personal data to be processed lawfully, fairly, and transparently. It also connects to related areas such as consent, legitimate interests, transparency, and accountability.
Use the glossary for key terms, or download the checklist if you want a practical starting point for reviewing lawful basis decisions, privacy notices, records of processing, and wider GDPR accountability.
