UK GDPR: ‘lawful basis’ for processing personal data

Under the UK GDPR, you must identify a lawful basis (or legal reason) you can use to justify the specific purpose for processing personal data. Use our guidance to work out which of the 6 lawful bases to use and avoid wasting time seeking consent you don't need.

Last reviewed on 22 April 2024See updates
School types: AllSchool phases: AllRef: 34542
  1. You must identify a lawful basis to process personal data 
  2. A summary of each basis
  3. Use the Information Commissioner’s Office (ICO)'s self-assessment tool
  4. Your guide to completing the self-assessment 
  5. You need to meet additional conditions for processing special category data
  6. Once you've identified your lawful basis

You must identify a lawful basis to process personal data 

For all data processing activity you do under the UK General Data Protection Regulation (UK GDPR), you must identify a 'lawful basis' to justify the specific purpose for processing personal data.

If you use the same set of data for more than 1 purpose, you must identify a legal basis for each specific purpose.

You'll have to decide which basis to use on each occasion, based on the context and details of your processing activities.

Your processing must always be ‘necessary' and 'proportionate’

This follows the 7 principles of data processing under the UK GDPR – get further

The Key has taken great care in publishing this article. However, some of the article's content and information may come from or link to third party sources whose quality, relevance, accuracy, completeness, currency and reliability we do not guarantee. Accordingly, we will not be held liable for any use of or reliance placed on this article's content or the links or downloads it provides. This article may contain information sourced from public sector bodies and licensed under the Open Government Licence v3.0.