GDPR and your lawful basis for processing data

In the fifth part of our GDPR blog series we’re discussing the lawful basis you need to process personal data. You can read our GDPR blog series by following the links below:

    1. The General Data Protection Regulation – An introduction to GDPR
    2. How the GDPR affects the personal data you hold
    3. Plan how you need to change ahead of GDPR implementation
    4. How GDPR gives rights to individuals and their data
    5. What is your lawful basis for processing data
    6. GDPR gives you a duty prevent and report data breaches

Your lawful basis for processing data

GDPR is designed to protect personal data but achieving compliance shouldn’t hinder your businesses ability to use it. There are many instances where under GDPR the processing of personal data can be done without explicit consent but you must have a lawful basis for doing so. If you’re using personal data in any other way, then that will be deemed unlawful.

Come 25th May 2018 the GDPR will replace the Data Protection Act 1998 and no business can ignore it regardless of their size or nature – it is every organisation’s obligation to comply. If you rely on gathering, storing or using any personal data then you will need a lawful basis to do so.

To achieve a lawful basis you need to immediately review the type of data you hold and the way you use it. For many larger organisations this could prove to be a complicated task especially if they have no previous record of the types of data they’ve collected.

What constitutes a lawful basis

Obtaining consent is a key part of GDPR but you may not always need consent. Below we’ve provided an overview of the lawful basis of processing data. In all cases, if you can reasonably achieve an end goal without processing any personal data then you have no lawful basis to do so under GDPR.


GDPR sets a high standard for consent to offer individuals a clear choice of how they want their data used. At the point of consent the individual should give you explicit permission, GDPR spells the end of pre-ticked boxes and hidden terms and conditions.

Now is the time to check your consent practices to ensure they comply. Consent should be clear and concise and put the individual in charge. Your business should have clear documentation detailing when and where consent was provided. Consent should also be easy to withdraw and the process of how to do so should be clearly available.


If you hold an agreed contract with someone and you need to process their data in order to fulfil your contracted obligations, then this could be your lawful basis. You can also fall back on to this if you’ve been specifically requested to provide a quote or submit a proposal of your services to a potential customer.

A decision to rely on this lawful basis should be documented and you need to be sure you can justify your actions.

Legal obligation

In short, this lawful basis relates to you complying with common law and it will be clear whether this is necessary. This could cover a request by authorities to access information or a government body request such as HMRC requiring information on an employee. If by not complying with a request you’re committing an illegal act then this can be your lawful basis.

Vital interests

This lawful basis is very limited in its scope as it specifically relates to the well fare of the individual in question. The most common use for this would be in relation to medical purposes where a person is unable to give consent themselves.

Public task

This will virtually always relate to public bodies, industry authorities or tasks that are carried out in public interest providing it’s in relation to a specific law.

Legitimate interests

This is perhaps the most flexible lawful basis. If use personal data in a way a person would reasonably expect then you can achieve GDPR compliance without consent. However, your use must have minimal impact on their privacy and you must have compelling justification. The reasons for using this lawful basis must be included within your privacy information.

A useful way to analyse if you can employ this lawful basis would be to ask if you’d accept your data being used in the same way. You should also consider that you are responsible for ensuring a person’s rights are protected.

Although flexible, the reason for using this lawful basis are far from exhaustive and if there is a less intrusive way for you to achieve the same result you should not rely on it.