Under the UK GDPR, you can't just collect and use people's personal data whenever you feel like it. You need a lawful basis — a legal reason that justifies your processing. Without one, you're breaking the law.
There are six lawful bases in Article 6 of the UK GDPR. This guide explains each one in plain English and helps you work out which applies to your business.
Why does lawful basis matter?
Your lawful basis determines your obligations — and your customers' rights. For example, if you rely on consent, your customers can withdraw it at any time. If you rely on legitimate interests, they can object to processing. Getting this right isn't just a compliance box-tick — it affects how you run your business.
You must also document your lawful basis and communicate it to your data subjects in your Privacy Policy.
The six lawful bases
1. Consent
You have obtained a clear, informed, and freely given opt-in from the individual before processing their data.
When to use it: Email marketing to prospects who haven't bought from you before. Newsletter sign-ups. Non-essential cookies.
Key requirement: Consent must be active (no pre-ticked boxes), specific, and as easy to withdraw as to give.
⚠ Don't rely on consent for core business activities — if someone withdraws consent, you must stop processing, which could disrupt your business operations.
2. Contract
Processing is necessary to perform a contract with the individual, or to take steps they've requested before entering into a contract.
When to use it: Processing a customer order. Sending order confirmations. Managing an employment contract.
Key point: The processing must be necessary for the contract — not just convenient.
3. Legal Obligation
Processing is necessary for you to comply with a legal requirement (not a contractual obligation).
When to use it: Keeping financial records for HMRC. Reporting to regulators. Right-to-work checks.
Key point: There must be a specific legal obligation in UK or EU law that requires the processing.
4. Vital Interests
Processing is necessary to protect someone's life.
When to use it: Rarely applicable to most businesses. Emergency medical situations. Disclosing information to emergency services.
Key point: This is a last resort — only applicable when other bases can't reasonably apply.
5. Public Task
Processing is necessary for a task in the public interest or the exercise of official authority.
When to use it: Government bodies, schools, NHS trusts, and similar public sector organisations.
Key point: Most private businesses can't rely on this basis.
6. Legitimate Interests
Processing is necessary for your legitimate interests (or those of a third party), and those interests are not overridden by the individual's rights and freedoms.
When to use it: Direct marketing to existing customers. Fraud prevention. Website security. Employee monitoring (within reason). Business analytics.
Key requirement: You must carry out a Legitimate Interests Assessment (LIA) to document that your interests genuinely outweigh the individual's rights.
✅ Legitimate interests is the most flexible basis and the one most small businesses rely on for day-to-day activities. But it requires more work — you must be able to justify it with a documented assessment.
Which lawful basis should most small businesses use?
Most UK small businesses will rely on a combination of bases:
- Contract — for processing customer orders, sending invoices, and delivering services
- Legitimate interests — for marketing to existing customers, website analytics, and fraud prevention
- Consent — for email marketing to prospects and non-essential cookies
- Legal obligation — for financial records and any statutory reporting
Can I use more than one lawful basis?
Yes — and you probably will. Different processing activities may rely on different bases. What you can't do is switch between bases retroactively. You need to decide on your lawful basis before you start processing, not after something goes wrong.
You must document your lawful basis for each type of processing activity and communicate it in your Privacy Policy. Saying "we process your data lawfully" isn't enough — you must specify which basis you're relying on.
What happens if you don't have a lawful basis?
Processing personal data without a lawful basis is a direct violation of UK GDPR Article 6. The ICO can issue fines of up to £17.5 million or 4% of global turnover, as well as enforcement notices requiring you to stop processing.
Summary
Every time you collect or use someone's personal data, you need a lawful basis. For most small businesses, the main bases you'll rely on are contract, legitimate interests, consent, and legal obligation. Your Privacy Policy must clearly state which basis you're using for each type of processing.
Ready to generate your GDPR policy?
Answer a few questions about your business and get a personalised, legally-structured document in minutes.
Start free — from £29 →