Lawful Bases for Processing: How to Legally Handle Data Under UK GDPR

In the intricate world of data protection, simply knowing what constitutes personal data under UK GDPR is only half the battle. Once you recognise you are handling personal information, the next, equally crucial step is to ensure you are doing so legally. This is where the concept of “lawful bases for processing” comes into play. Without a valid lawful basis, any processing of personal data is, quite simply, against the law.

For many, the first and only lawful basis that comes to mind is ‘consent’. While consent is indeed one of the options, relying solely on it, or using it inappropriately, can lead to significant compliance challenges. The UK GDPR provides six distinct lawful bases, each serving as a specific ‘key’ that unlocks the door to legally processing data.

Just as you need the right key for the right door, selecting the correct lawful basis for your data processing activities is fundamental to meeting your obligations.

This guide will explain each of these six keys, detailing when and how they apply, helping you confidently navigate the requirements for legally handling data under UK GDPR.

The “Key” Analogy: Unlocking Legal Data Processing

Imagine that every time you need to process someone’s personal data, you encounter a locked door. To open that door and proceed legally, you need a specific key. The UK GDPR provides a set of six unique keys. Each key is designed for a particular type of door – that is, a specific reason or context for processing data.

• If you try to force open a door with the wrong key, it simply won’t work, or you might even damage the lock (leading to non-compliance).
• Similarly, choosing an inappropriate lawful basis for your data processing means you are not legally permitted to proceed, no matter how good your intentions.

Your responsibility under the UK GDPR is to identify the correct key for each data processing activity you undertake and to be able to demonstrate why that key is the right one.

Why You Absolutely Need a Lawful Basis

The UK GDPR operates on a principle of lawfulness. This means that personal data must be “processed lawfully, fairly and in a transparent manner in relation to the data subject.” The ‘lawfully’ part requires that you have a specific legal ground for processing that data. Without one of the six lawful bases, your activities are unlawful, regardless of how minor they might seem.

The Information Commissioner’s Office (ICO), the UK’s independent authority for data protection, expects organisations to clearly identify and document their lawful bases for all data processing activities. This forms a critical part of your accountability obligations under the UK GDPR.

The Six Keys to Lawful Processing Under UK GDPR

Let’s explore each of the six lawful bases for processing personal data, providing practical examples and detailing their application.

1. Consent: The Permission Key

Definition: Consent means the data subject has given a freely given, specific, informed, and unambiguous indication of their wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

When to use it: Consent is appropriate when you want to offer individuals genuine choice and control over how their data is used. This is typically for activities that are optional and wouldn’t prevent you from providing your core service if consent wasn’t given.

• Example: Sending marketing emails about new product launches to individuals who have specifically opted-in to receive them. If they don’t opt-in, you still provide your core service (e.g., selling them goods), but you don’t send marketing.
• Example: Placing non-essential cookies (like analytics or advertising cookies) on a user’s browser.
• Example: Conducting a voluntary survey asking for personal opinions that aren’t necessary for a contract or legal obligation.

When not to use it: Consent is often not the most appropriate lawful basis, and relying on it can be problematic if:

• There is an imbalance of power: For instance, between an employer and employee. Employees may not feel genuinely free to refuse consent to data processing that impacts their job.
• It’s a prerequisite for a service: If individuals must give consent for data processing that is genuinely necessary for the core service, consent is likely not ‘freely given’. Another basis, like ‘contract’, would be more appropriate.
• You can’t easily withdraw it: Consent must be as easy to withdraw as it is to give. If withdrawing consent creates undue burden, it may not be valid.

Requirements for Valid Consent:

• Freely given: No undue pressure or consequence for refusal.
• Specific: Consent for clearly defined purposes, not vague “all purposes.”
• Informed: Individuals must understand what they are consenting to, including who is processing their data and for what purpose.
• Unambiguous: A clear affirmative action (e.g., ticking an un-ticked box, signing a form), not silence or pre-ticked boxes.
• Demonstrable: You must keep records to prove consent was given, when, by whom, and for what.

The take-home: Only use consent when you truly offer individuals a genuine choice and control, and document it rigorously.

2. Contract: The Agreement Key

Definition: This basis applies when processing is “necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.”

When to use it: This key is for situations where processing personal data is essential to fulfil an agreement with an individual, or to prepare for such an agreement at their request.

• Example: Processing a customer’s name, address, and payment details to fulfil an online order they have placed with your e-commerce store. The data is necessary for the sales contract.
• Example: Using an employee’s bank details to pay their salary as part of their employment contract.
• Example: Storing contact details of a potential client who has requested a quote for your services, prior to formalising a contract.
• Example: Providing access to a paid subscription service after a user signs up.

Key Aspect: The processing must be necessary for the contract. If you could provide the service without that specific piece of data, then ‘contract’ is not the appropriate basis for that data.

3. Legal Obligation: The Duty Key

Definition: This basis applies when processing is “necessary for compliance with a legal obligation to which the controller is subject.” This means there is a clear basis for the processing in UK law (not just a contractual obligation).

When to use it: Use this key when you have a legal duty to process certain personal data. This duty must be set out in primary or secondary legislation.

• Example: A business is legally obliged to report certain financial transactions to HMRC for tax purposes. Processing customer transaction data for this reason is a legal obligation.
• Example: Employers have a legal duty to provide certain employee data to pension schemes or for health and safety reporting.
• Example: An organisation is required by a court order to provide specific personal data to a legal authority.
• Example: Retaining certain records for a specified period under health and safety legislation.

Key Aspect: The legal obligation must be genuine and clearly defined in law. You cannot invent a legal obligation; it must exist within the UK’s legal framework.

4. Vital Interests: The Emergency Key

Definition: This basis applies when processing is “necessary in order to protect the vital interests of the data subject or of another natural person.”

When to use it: This lawful basis is very narrow and should only be used in genuine, life-or-death emergency situations where other lawful bases cannot be relied upon. It’s typically used when processing is urgently required to prevent serious harm or death.

• Example: A hospital sharing a patient’s medical records with emergency services during a critical accident to save their life.
• Example: Using a person’s contact details to alert them to a life-threatening situation (e.g., immediate risk of natural disaster).

Key Aspect: This basis is rarely applicable for typical business operations and is often linked to processing special category data (e.g., health data) when explicit consent is not possible or practical due to urgency.

5. Public Task: The Civic Duty Key

Definition: This basis applies when processing is “necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.”

When to use it: This key is primarily used by public authorities (such as government departments, local councils, NHS bodies, and schools) when they are carrying out their official functions. Some charities and non-profit organisations might also rely on this if they are exercising a public function or powers laid down in law.

• Example: A local council processing resident data to provide public services like waste collection or housing.
• Example: NHS trusts processing patient data for public health initiatives or medical research conducted in the public interest, where it’s based on specific legal provisions.
• Example: Police forces processing data for law enforcement purposes.
• Example: A school processing student data for educational purposes mandated by law.

Key Aspect: The public interest task or official authority must be clearly defined in law. It cannot simply be ‘something that benefits the public’.

6. Legitimate Interests: The Balancing Act Key

Definition: This basis applies when processing is “necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

When to use it: This is the most flexible of the lawful bases, but also the most nuanced, requiring a careful balancing act. You can use it when processing is necessary for your legitimate interests (or those of a third party), provided these interests do not override the rights and freedoms of the individual whose data you are processing.

• Example: Using customer data for direct marketing (often B2B, or B2C where there’s a clear existing relationship and no explicit consent required).
• Example: Processing IP addresses and website usage data for network security, fraud prevention, or to improve user experience (e.g., A/B testing).
• Example: Internal administrative purposes, such as maintaining customer databases or staff records, where ‘contract’ or ‘legal obligation’ don’t fully apply.
• Example: Analysing website traffic data (e.g., with Google Analytics) to understand user behaviour and optimise website performance, provided proper safeguards (like IP anonymisation) are in place.

Key Aspect: The Legitimate Interests Assessment (LIA) To rely on legitimate interests, you must conduct and document a balancing test, often referred to as a Legitimate Interests Assessment (LIA). This three-part test involves:

1. Purpose Test: What is the legitimate interest you are pursuing? It must be clear, specific, and real.
2. Necessity Test: Is the processing necessary to achieve that interest? Could you achieve the same purpose without processing personal data, or by processing less data?
3. Balancing Test: Do the individual’s interests and fundamental rights (especially privacy) override your legitimate interest? Consider the nature of the data, the impact on the individual, and any safeguards you can put in place to minimise risk.

The take-home: Document your LIA. This basis offers flexibility but demands diligent justification and careful consideration of individuals’ rights.

Choosing the Right Key: Not One-Size-Fits-All

It is vital to understand that no single lawful basis is inherently “better” than another. The most appropriate lawful basis for processing personal data depends entirely on the specific purpose and context of your processing activity.

• Don’t force consent: If you are processing data because you have a legal duty, or because it’s necessary for a contract, trying to obtain consent can be misleading and invalidate your processing. You should rely on the stronger, more appropriate basis.
• Document your choice: For each processing activity, you should identify and document your chosen lawful basis. This demonstrates accountability and helps you explain your position if questioned by individuals or the ICO.
• One purpose, one basis: Generally, a single processing purpose should have a single, clearly identified lawful basis. While you might have multiple lawful bases for different processing activities within your organisation, each distinct activity needs its own justification.

You generally cannot switch between lawful bases for the same processing purpose if your initial choice proves difficult. However, if the purpose of processing changes, then a new lawful basis may be required for that new purpose.

What if You Don’t Have a Key?

If you are processing personal data without a valid lawful basis, you are doing so unlawfully. This carries significant risks under the UK GDPR, including:

• Enforcement Action: The ICO can issue warnings, reprimands, orders to comply, or even substantial fines (up to £17.5 million or 4% of annual global turnover, whichever is greater).
• Reputational Damage: Unlawful data processing can severely harm your organisation’s reputation and lead to a loss of customer trust.
• Legal Challenges: Individuals may bring claims against you for damages if their rights have been infringed.

Proactive identification and documentation of your lawful bases are not just about avoiding penalties; they are about establishing a robust and trustworthy approach to data handling.

Your Compass for Legal Data Handling

Understanding and correctly applying the six lawful bases for processing personal data is arguably the most fundamental aspect of UK GDPR compliance. These “keys” empower you to handle data legally, ethically, and transparently.

By carefully considering the purpose and context of each data processing activity, choosing the most appropriate lawful basis, and thoroughly documenting your decisions, you ensure that your organisation operates within the bounds of the UK GDPR, safeguarding both your interests and the privacy rights of individuals. This diligent approach forms the bedrock of responsible data stewardship in the United Kingdom.