Understanding how and when personal data can be processed is vital for organisations wishing to use it in their day-to-day operations. Under the UK General Data Protection Regulation (UK GDPR), organisations must have a lawful basis to collect, store and use personal data.
There are six lawful bases set out in the UK GDPR, and whenever processing personal data, organisations must be able to identify and rely on at least one of them for each instance of processing. Which lawful basis you rely on determines how you communicate with individuals and the rights they have over their data.
But what does this mean for businesses in practice? And what are the lawful bases on which they can rely? In this post, we’ll take a closer look at each of the six lawful bases set out in the UK GDPR and explore when they apply, along with some examples. Let’s break it down.ents, irrespective of the stakeholders involved.
The 6 Lawful Bases for Processing Personal Data
1. Consent
This is perhaps the most well-known basis for processing personal data, but possibly also the most commonly misused. Relying on consent means that the individual has given their clear, informed and unambiguous agreement for their personal data to be processed for a specific purpose.
Consent should be used when no other lawful basis applies and the individual is given choice and control. For example, signing up for a newsletter, accepting cookies or participating in a survey. It should not be used when the individual is unlikely to have a real choice around whether or not they provide their consent. For instance, in the context of employment, an employee may feel unable to decline without negative effect.
2. Contract
Processing personal data is considered lawful when it is necessary to fulfil a contract with the individual or to take steps at the individual’s request prior to entering into a contract.
An example of this would be when you need to process personal data to satisfy a contractual obligation, like delivering goods or providing a paid service. Importantly, you must ensure that the data processed is strictly necessary for the contract. If the processing goes beyond what is needed for the contract, another lawful basis is required.
3. Legal Obligation
Organisations may process personal data if it is necessary to comply with a legal obligation. This lawful basis applies when specific laws or regulations require you to process certain data – for example, retaining employee records for tax purposes. The obligation must be established under UK or EU law, and you must document the relevant legal obligation clearly when relying on this basis.
4. Vital Interests
This lawful basis applies when processing personal data is necessary to protect someone’s life and none of the other lawful bases apply. This is typically used in emergency situations, such as providing medical care when someone is physically unable to provide their consent.
5. Public Task
Processing personal data is permitted when it is necessary to perform a task carried out in the public interest or in the exercise of official authority. This is commonly used by public authorities like local councils or the police. To rely on this basis, the task must be supported by a clear legal foundation. Private sector organisations may only use this basis when performing duties on behalf of a public authority.
6. Legitimate Interests
As the most flexible lawful basis, legitimate interest can apply to a wide range of processing activities. It allows processing to pursue your own legitimate interests, or those of a third party, provided those interests are not overridden by the individual’s rights and freedoms.
This lawful basis is most commonly used for activities such as marketing, service improvements and fraud prevention. However, it would not be appropriate in cases where individuals would not reasonably expect the processing of their data or if it could result in harm to them.
Often it may be necessary to complete a Legitimate Interests Assessment (LIA) to weigh the reasons for processing data under this lawful basis against the potential risks to the individuals concerned. As with all instances of processing personal data, organisations should keep in mind the need to be transparent about what data they collect, why it is being processed, and when the processing takes place.
Conclusion
The Role of Lawful Bases in Responsible Data Use
Understanding and selecting the correct lawful basis for processing personal data is more than just a compliance requirement; it’s the cornerstone of building trust and accountability. Ultimately, which of the six lawful bases you choose determines how you engage with individuals, the rights they hold over their data, as well as your responsibilities in managing it.
For organisations without specialist knowledge, navigating these responsibilities can feel daunting. That’s why, here at NormCyber, our team provides hands-on, tailored support to help you meet your compliance requirements with confidence and ease. Whether you need help choosing the right lawful basis, managing risks or responding to breaches, we’re here to offer expert guidance. Get in touch with us today and take the guesswork out of data protection.
Written by Isabella Gibson
Isabella Gibson is a qualified data protection practitioner and a member of the NormCyber data protection team. As a Data Protection Associate Isabella delivers the the Data Protection as a Service (DPaaS) Solution to norm’s widely varied client base.
