You must identify a lawful basis to process personal data
For all data processing activity you do under the UK General Data Protection Regulation (UK GDPR), you must identify a 'lawful basis' to justify the specific purpose for processing personal data.
If you use the same set of data for more than 1 purpose, you must identify a legal basis for each specific purpose.
You'll have to decide which basis to use on each occasion, based on the context and details of your processing activities.
Your processing must always be ‘necessary' and 'proportionate’
This follows the 7 principles of data processing under the UK GDPR – get further