UK GDPR: choose your ‘lawful basis’ for processing personal data

Under the UK GDPR, you must identify a lawful basis (or legal reason) you can use to justify why you process personal data. Use our guidance to work out which of the 6 lawful bases to use and avoid wasting time seeking consent you don't need.

Last reviewed on 14 April 2022
School types: All · School phases: All
Ref: 34542
Contents
  1. You must identify a lawful basis to process personal data 
  2. Summary of each basis
  3. Use the Information Commissioner’s Office (ICO)'s self-assessment tool to identify which basis you can use
  4. Guide to completing the self-assessment 
  5. Additional conditions for special category and criminal offence data
  6. What do we do once we've identified our lawful basis?

You must identify a lawful basis to process personal data 

For all data processing activity you do under the UK General Data Protection Regulation (UK GDPR), you must identify a 'lawful basis' (or bases, as you can choose multiple) to justify the processing of the personal data.

You'll have to decide which basis to use on each occasion, based on the context and details of your processing activities.

Your processing always needs to be a ‘necessary and proportionate’ way of achieving your underlying task. You can only collect the personal data you actually need (not just data that will be useful), and must choose the least intrusive option available to you.

This is one of the 7 principles of data processing under the UK GDPR - get further details on the principles in our summary article.

You can justify processing data if the activity falls