Understanding Lawful Bases for Processing Personal Data Under UK GDPR: A Guide for Businesses | Sprintlaw UK (2025)

If your business collects, stores or uses any personal information about your customers, staff, or partners, you’re likely aware of data protection rules-but it can be tricky to know exactly what’s required of you under the UK GDPR.

You might have come across phrases like “lawful basis for processing” or “processing data lawfully.” But what does processing personal data lawfully actually mean? And how can you make sure your business gets it right and stays compliant?

In this guide, we’ll break down what the law says, explain the six lawful bases for processing personal data, and provide practical tips for UK businesses. That way, you can confidently build privacy compliance into your day-to-day operations-protecting your business and maintaining the trust of your clients.

What Does It Mean to Process Personal Data Lawfully?

Put simply, under the UK General Data Protection Regulation (UK GDPR), you can only use personal data if you have a lawful reason to do so. You must identify one (or more) of the six lawful bases for processing data before you do anything with someone’s personal details-whether that’s collecting, storing, analysing, sharing, or even deleting it.

If you don’t have a valid lawful basis-or you process data outside of that basis-your actions are considered unlawful. This can expose your business to significant risks, including regulatory fines, customer complaints, reputational harm, or even legal proceedings.

So, processing personal data lawfully means making sure every single way you use personal information has a legitimate and justifiable legal reason. It’s not just best practice-it’s a requirement under both the UK GDPR and the Data Protection Act 2018.

When Do You Need a Lawful Basis for Processing Personal Data?

A lawful basis is required every time you process, use or interact with personal data-whether that relates to:

• Customer records (names, addresses, contact details)
• Employee data (payroll, performance, HR files)
• Marketing activities (mailing lists, analytics data)
• Supplier information
• Any information that identifies, or could identify, a living person

Even seemingly harmless or “internal” uses need clear justification. There’s no “catch-all” defence-the law requires you to actively choose a suitable basis before processing. If you’re collecting or sharing customer data for any purpose, you must be able to explain which legal basis applies.

Why Is Identifying the Lawful Basis So Important?

Getting this step right is crucial for a few key reasons:

• Compliance: It’s a legal obligation under Article 6 of the UK GDPR.
• Transparency: You must inform people about your lawful basis in your Privacy Policy or collection notices.
• Accountability: The Information Commissioner’s Office (ICO) can investigate and require evidence that you’ve properly considered your basis, especially if there’s a complaint or incident.
• Enforcement Risk: Failing to have the correct lawful basis could result in fines or enforcement action, particularly for serious or repeated breaches.

If you’re ever unsure, keeping clear records and seeking legal advice is a smart move-this shows you’re taking your obligations seriously.

What Are the Six Lawful Bases for Processing Personal Data?

Let’s take a closer look at each of the six lawful bases set out under UK GDPR, and when they’re typically used by businesses.

1. Consent

Consent is one of the most well-known bases for processing personal data. It means you’ve asked someone directly and they’ve clearly agreed to let you use their information for specific purposes.

Key things to note about consent:

• It must be freely given, specific, informed and unambiguous. Pre-ticked boxes or inactivity don’t count.
• You should keep records showing who consented, when, and exactly what they were told.
• It’s not a “one size fits all” basis-some processing activities are better justified under other legal grounds (such as contracts or legitimate interests).
• People have the right to withdraw consent at any time, and this withdrawal must be as easy as giving it in the first place.

Typical uses: Sending marketing emails to subscribers, using cookies for analytics after users opt in (more about cookies and consent), obtaining explicit “opt-in” for data-sharing or special categories of data.

2. Contract

You can process personal data if it’s necessary to fulfil a contract you have with the individual-or to take steps they’ve requested before entering into that contract.

How does this work in practice?

• If you sell products online, processing a customer’s address and details to deliver their order falls under this lawful basis.
• Employee payroll processing-calculating wages, making payments, and managing holidays-can be justified by the employer-employee contract.
• Quotation requests, bookings, or information needed to set up a contract are also covered (as long as processing is “necessary”).

Just remember: Only the processing strictly required for the contract is covered. Anything “extra” (like optional marketing) will need a different legal basis.

If you want help ensuring your contracts are compliant or properly drafted, see our contract drafting services.

3. Legal Obligation

Some processing is required to meet legal obligations-in other words, the law says you must do it. This isn’t the same as a contract; it refers to statutory or regulatory requirements.

Examples include:

• Providing employee records to HMRC or the Pensions Regulator
• Fulfilling health and safety reporting duties under relevant legislation
• Maintaining accounts for tax auditing purposes

If you’re relying on this legal basis, make sure to identify the underlying law or regulation justifying the data processing and clearly document it.

4. Vital Interests

This basis applies where processing is necessary to protect someone’s life or physical safety. It’s rarely relevant for most businesses, but may come up in crisis or emergency situations.

For example:

• Sharing medical details with emergency responders if an employee becomes ill at work
• Passing details to police or hospitals in life-threatening scenarios

You can’t use this as a catch-all for health-related information: “vital interests” usually only applies if consent can’t be obtained and there’s no other way to save a life.

5. Public Task

Mostly relevant for public authorities (such as local councils, regulators or government-funded services), this lawful basis is used when processing is required for the public interest or to exercise official authority.

Private sector businesses will rarely rely on this basis, unless they are carrying out a function that’s set out in law or on behalf of a public body.

The key point is that there must be a clear legal underpinning for the processing activity.

6. Legitimate Interests

For many private companies, legitimate interests is the most flexible and commonly used lawful basis-but it comes with important responsibilities.

This allows you to process personal data if it’s necessary for your (or a third party’s) legitimate interests-except where these are overridden by the interests, fundamental rights and freedoms of individuals.

Typical scenarios that can rely on this basis include:

• Direct marketing, customer relationship management
• Fraud prevention or ensuring network security
• Internal business analysis, improving services

However, you must carry out a balancing test-often called a Legitimate Interests Assessment (LIA)-to weigh your aims against the potential impact to the individual’s privacy. Document your decision and be prepared to justify it if challenged.

If you’re unsure whether legitimate interests is appropriate for your business activity, it’s wise to get legal support or consult the ICO’s detailed guidance.

Choosing the Right Lawful Basis for Each Processing Activity

You must decide before you start any processing what your legal basis is. This isn’t something you can apply retroactively if there’s a data breach or complaint!

The process generally involves:

• Mapping out all your personal data processing activities (who, what, why, how, where, and when)
• Identifying the lawful basis for each (it may differ between activities)
• Documenting your decisions-keep a record of your reasoning and which lawful basis you’ve chosen
• Updating your Privacy Policy and collection processes so individuals know how and why you use their data

If the lawful basis changes over time (for example, you want to start using customer data for marketing when previously it was just for fulfilling orders), you must update your records and let individuals know.

Lawful Basis vs. Special Category Data and Criminal Convictions

Be aware: If you’re processing special category data (such as health details, racial or ethnic origin, sexual orientation, religion, or trade union membership) or criminal convictions data, there are extra requirements under UK GDPR.

You must still identify a lawful basis, but also meet a further legal condition for these “sensitive” types of information. The bar is higher, so it’s important to get specialist legal advice for any such processing.

For more, see our guide: Privacy Policy: What You Need to Know

What Happens If You Don’t Have a Lawful Basis?

If you process data without a valid legal basis:

• It’s unlawful under UK GDPR, regardless of your intentions or ethical considerations.
• You could face:
  • Enforcement action or fines from the ICO (up to £17.5 million or 4% of global annual turnover for the most serious breaches)
  • Reputational damage or customer loss
  • Civil claims or disputes if individuals’ rights are impacted
• Customers and employees are within their rights to complain or request you stop processing their data.

This is why picking the correct legal basis upfront-and clearly communicating it-should be a core part of your business’s privacy compliance programme.

Need help assessing your current compliance or selecting appropriate lawful bases? Our team can review your data protection needs and ensure you’re set up for success-contact us today or visit our Data Protection Pack service.

Top Tips for Staying Compliant With Lawful Bases Under UK GDPR

Here are some practical steps to help your business process personal data lawfully:

• Audit and map all personal data processing activities in your business
• Identify the lawful basis for each activity, and document the reasons for your choices
• Update your Privacy Policy and internal records regularly, to reflect any processing changes
• Use consent with care-for marketing, cookies, analytics, and special category data, always get clear opt-in
• If relying on legitimate interests, carry out and record a Legitimate Interests Assessment
• Train your staff-everyone handling personal data should understand the basics of lawful processing and the importance of privacy
• Keep up to date-privacy law changes over time; review your approaches (such as for GDPR compliance) and seek advice as your business evolves

Above all, remember: if in doubt about which lawful basis to use, or if your use of personal data is “borderline”, consult a data protection solicitor who can give tailored advice for your situation.

Key Takeaways

• Processing personal data lawfully under the UK GDPR means having, identifying, and documenting a valid lawful basis for each processing activity.
• The six lawful bases are: Consent, Contract, Legal Obligation, Vital Interests, Public Task, and Legitimate Interests. Choose the one that fits your precise activity.
• If you can’t show a clear lawful reason for processing, your actions are unlawful-potentially exposing your business to legal and financial penalties.
• Keep robust records, communicate your legal bases clearly to individuals (typically via a privacy notice), and review your approach regularly.
• Special category and criminal convictions data require extra safeguards-get legal advice for handling them.
• Don’t assume-if you’re unsure about your legal basis, or how to meet UK GDPR standards, contact a legal expert for help.

If you want help making sure your business is compliant with data protection law, or if you have any questions about the lawful bases for processing data, you can reach us on 08081347754 or at [emailprotected] for a free, no-obligation chat with our friendly legal team.