Skip to content

Lawful Basis for Processing: Legal Framework for Data Management

Table of Contents

In Short

  • You must identify and document a lawful basis under UK GDPR before processing personal data. Processing without a lawful basis is unlawful.
  • For sensitive data, such as health or race information, both an Article 6 lawful basis and an Article 9 condition are required, along with extra safeguards.
  • Lawful bases must be integrated into compliance frameworks, documented in Records of Processing Activities, and regularly reviewed for changes in data use.

Tips for Businesses

Ensure your lawful basis is clear, documented, and communicated in your privacy notices. Regularly review processing activities to confirm the lawful basis still applies. If dealing with special category data, ensure you meet additional conditions and maintain an Appropriate Policy Document. Seek legal advice if you’re unsure about your obligations.

For businesses that process personal data, complying with the UK data protection law rules is a vital legal requirement. A key principle of this legal framework for data controllers is determining a lawful basis for data processing. Without a lawful basis, data processing is unlawful. A lawful basis is a mandatory compliance requirement, one of the most fundamental obligations for data controllers to determine within their personal data compliance and management framework. This article explores why businesses need a lawful basis and how the lawful basis determination impacts an organisation’s compliance obligations.

Why Must You Identify a Lawful Basis Before Processing Data?

As a controller, you must identify a lawful basis before processing personal data, a key legal requirement under the UK GDPR rules

If you cannot rely on one of the lawful bases, your processing will be unlawful and violate the UK GDPR. Breaching the UK GDPR rules can have negative implications, such as enforcement action, reputational damage, and fines.

Identifying your legal basis upfront can help you ensure compliance and clarify why your business handles different types of personal data.

The UK GDPR provides six lawful bases for processing personal data:

  • Consent: under this ground, individuals give clear, informed, and specific agreement to processing, which must be easy to withdraw; 
  • Contractual Necessity: this is where processing is needed to fulfil a contract or take steps requested by the individual;
  • Legal Obligation: this is where the processing is required to comply with legal duties.
  • Vital Interests: here, the processing is necessary to protect someone’s life;
  • Public Task: in this case, processing is carried out in the public interest or under official authority, often by public bodies; and
  • Legitimate Interests: processing under this ground is where the processing benefits an organisation or third party, provided it does not override individuals’ rights. A Legitimate Interests Assessment is needed to justify this basis. 

Your business must take the time to carefully understand what each lawful basis means and how to apply a lawful basis to your specific data processing activities. If you feel uncertain about which basis to rely upon, you should seek legal advice from a data protection solicitor to help guide you on which may be appropriate for your specific purposes.

Examples

Imagine you run a mobile app and act as the data controller for the personal data you collect via that app. To comply with the UK GDPR, you must assess each purpose for collecting and using your users’ personal data, determine a lawful basis for processing, and tell users about this in your Mobile App Privacy Notice.

For example, when you allow users to install the app and set up an account, you will likely collect their identity, contact, and device information. Your business may rely on the grounds of  ‘performance of a contract’ because you need such data to deliver the app and its core functions to users.

If your app lets users make purchases, you may collect and process their data to fulfil orders, manage payments, and send payment confirmations. The lawful basis for this activity may depend on the performance of a contract, as your business needs the data to provide the services or purchases the user requested.

Lawful Basis

In each case, you must document the lawful basis for processing, explain it clearly in your Mobile App Privacy Notice, and ensure users understand how and why you process their data. If you rely on legitimate interests, your business must carry out a Legitimate Interests Assessment to show that your interests do not override the rights and freedoms of your users.

Determining the appropriate legal basis and associated rules is a key initial consideration for your projects.

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

What Additional Rules Arise for Special Category Data and Criminal Convictions Data?

Some types of personal data processing require additional safeguards due to their sensitivity.

Special category data includes information about an individual’s race, religion, health, political beliefs, or biometric data. To process this data, you must meet additional conditions, as you will need to both: 

  • identify a lawful basis under Article 6 of the UK GDPR; and
  • rely on a separate condition under Article 9.

In many cases, you also need to maintain an Appropriate Policy Document when processing this data. This document explains how you protect such data and comply with data protection principles.

Criminal convictions and offence data also carry stricter requirements under the Data Protection Act 2018.

How Do You Integrate Your Lawful Basis into Your Data Processing Compliance Framework?

Identifying the appropriate lawful basis alone is not where your compliance obligations end.

Front page of publication
GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

You must integrate this decision into your wider UK GDPR compliance framework to ensure ongoing accountability and comply with your legal obligations.

Key Actions

Here are some key actions you should take as part of your compliance framework: 

  • you should ensure you determine your legal basis before processing personal data. You must document the lawful basis for each processing activity to justify your decision-making process. You can include this information in your Record of Processing Activities. This record demonstrates compliance with the accountability principle under the UK GDPR;
  • transparency about your lawful basis is vital. You must include your lawful basis in your Privacy Notices and Privacy Policies so individuals understand why their data is being processed. Clear and accessible privacy documents can help ensure your processing activities are fully transparent to data subjects. Remember, you must address this in staff and customer-facing notices. The lawful basis you determine for processing client and staff data may be different and will typically be dealt with under separate privacy documents; and
  • you should regularly review your lawful bases over time. If your data processing activities change, you must reassess whether the original lawful basis still applies. According to the ICO guidance, you must determine your lawful basis before processing personal data, and it is essential to get this right from the start. If you later discover that your chosen lawful basis does not apply, you cannot simply switch to another one.

Key Takeaways

As a data controller, you must consider and document your basis for processing personal data. You must identify a valid lawful basis before you process personal data. Processing without a lawful basis breaches the UK GDPR and puts your organisation at risk. Your business should seek legal advice if unsure about the correct lawful basis for your specific data processing activities.

If you need help understanding the legal rules under UK GDPR, our experienced data privacy, and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Frequently Asked Questions

What happens if I process personal data without a lawful basis?

Processing data without a lawful basis breaches the UK GDPR, and your organisation can face various penalties for violating this legal obligation. 

Does special category data processing require additional rules?

Special category data requires both a lawful basis under Article 6 and a separate condition under Article 9 of the UK GDPR. This is due to the sensitivity of these categories of data.

Register for our free webinars

Buying a Tech or Online Business: What You Should Know

Online
Learn how to get the best deal when buying a tech or online business. Register for our free webinar.
Register Now

How the New Digital and Consumer Laws Impact Your Business

Online
Understand how the new digital and consumer laws affect your business. Register for our free webinar.
Register Now

Navigating Retail Disputes: Strategies for Resolution

Online
Handle retail disputes effectively and protect your business’ reputation. Register for our free webinar.
Register Now

Brand Attack: What to Do When Your Brand is Copied

Online
Defend your business’ brand from copycats. Register for our free webinar today.
Register Now
See more webinars >
Sej Lamba

Sej Lamba

Sej is an Expert Legal Contributor at LegalVision. She is an experienced legal content writer who enjoys writing legal guides, blogs, and know-how tools for businesses. She studied History at University College London and then developed a passion for law, which inspired her to become a qualified lawyer.

Qualifications: Legal Practice Course, Kaplan Law School; Graduate Diploma in Law, Kaplan Law School; BA, History, University College.

Read all articles by Sej

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards