Understanding the Legal Basis for Processing Personal Data Under UK GDPR: A Practical Guide for Businesses

Every UK business that handles personal data, whether it’s customer details, employee records, or supplier information, must comply with the UK General Data Protection Regulation (UK GDPR). One of the most fundamental - and often misunderstood - requirements under the UK GDPR is that you must have a lawful basis for processing personal data before you touch a single record.

Failing to get this right can bring serious consequences, from fines to reputational damage. But don’t stress - understanding the legal basics is straightforward once you break it down. Whether you’re starting a new online shop, growing a consultancy, or running a busy hospitality business, ensuring you’re legally covered from day one is key to staying compliant and building trust.

In this practical guide, we’ll walk you through the six lawful bases for processing personal data under the UK GDPR, help you decide which one applies to your activities, and offer actionable tips for keeping your business protected.

Why Does the Lawful Basis Matter?

The UK GDPR requires you to identify and document your lawful basis for every instance of personal data processing your business carries out. If you skip this step, the processing is unlawful - exposing you to enforcement by the Information Commissioner’s Office (ICO), reputational damage, and potentially heavy fines.

Establishing your lawful basis:

• Demonstrates to customers and regulators that you handle data responsibly

• Ensures your processing is limited to legitimate, necessary activities

• Forms part of your required compliance documentation, such as your Privacy Policy and Record of Processing Activities

If you collect, store, or use any information that identifies a living individual, these rules apply to you.

What Counts as Personal Data Under the UK GDPR?

Personal data means any information that can directly or indirectly identify an individual. That includes obvious identifiers like names, but also digital data or combinations of details that identify someone.

Typical examples include:

• Customer names, addresses, emails, or phone numbers

• Employee or applicant HR records

• Marketing databases or mailing lists

• Online user data such as cookies, IP addresses, or purchase history

If you handle any of this information, you must determine a lawful basis for doing so.

What Are the Six Lawful Bases for Processing Personal Data?

The UK GDPR sets out six lawful bases. Each processing activity must be matched to one (and only one) lawful basis. It’s not one-size-fits-all - your choice depends on the purpose of processing.

1. Consent

The individual has given freely given, specific, informed, and unambiguous consent for you to process their personal data for a particular purpose.

• When it applies: Marketing emails, newsletter subscriptions, or loyalty programmes.

• Key requirements: Consent must be opt-in; pre-ticked boxes or “implied consent” don’t count.

• Best practice: Keep records of when and how consent was obtained, and make withdrawal as easy as giving it.

2. Contractual Necessity

Processing is necessary to perform a contract with the individual, or to take steps at their request before entering into a contract.

• When it applies: Fulfilling orders, providing services, paying staff.

• Example: Using a customer’s address and payment details to deliver a purchased item.

3. Legal Obligation

Processing is necessary to comply with a UK legal obligation.

• When it applies: Keeping payroll or tax records, reporting workplace incidents, verifying identity under anti-money laundering laws.

• Note: This basis only covers statutory duties, not internal policy or contractual requirements.

4. Vital Interests

Processing is necessary to protect someone’s life or physical safety.

• When it applies: Medical emergencies or serious safety risks.

• Example: Sharing an injured visitor’s details with emergency services.

• This basis is rare for most businesses.

5. Public Task

Processing is necessary to perform a task carried out in the public interest or in the exercise of official authority.

• When it applies: Public bodies (e.g. councils, regulators) or organisations delivering government functions.

• Note: It’s rarely relevant for purely private sector businesses.

6. Legitimate Interests

Processing is necessary for your legitimate business interests (or those of a third party), provided these are not overridden by the individual’s rights and freedoms.

• When it applies: Fraud prevention, basic analytics, network security, or some types of direct marketing.

• Important step: You must carry out and document a Legitimate Interests Assessment (LIA) to justify using this basis.

For more, see our guide to customer data protection and direct marketing compliance.

How Do I Choose the Right Lawful Basis?

The lawful basis depends entirely on why you are processing the data. You should decide this before starting processing and record it in your data protection documentation.

Step-by-Step: Determining Your Lawful Basis

1. Map your processing activities
   Identify every way you collect or use personal data - sales, newsletters, HR, analytics, etc.

2. Understand the purpose
   Be clear why you need each piece of information.

3. Match each activity to a lawful basis
   Ask: is it required by contract, law, consent, or legitimate interests?

4. Document your decision
   Record your lawful basis in your data map or Record of Processing Activities (Article 30 UK GDPR).

5. Review regularly
   As your business evolves, revisit your lawful basis to ensure it remains appropriate.

Using the wrong lawful basis (e.g. claiming “consent” when it’s actually “contract”) can lead to compliance issues if challenged by the ICO or data subjects.

What Happens If I Get the Lawful Basis Wrong?

Getting this wrong is serious under UK GDPR. Consequences include:

• ICO enforcement: Orders to stop processing or destroy data

• Fines: Up to £17.5 million or 4% of global turnover (whichever is higher)

• Reputational harm: Customers lose trust quickly if their data is mishandled

Fixing errors after the fact can be costly and time-consuming - prevention is far cheaper.

Common Scenarios: Real-World Examples

Here’s how lawful bases typically apply in everyday business situations:

• Selling goods online: Contractual Necessity - using customer data to process orders and payments.

• Email marketing lists: Consent - individuals must actively opt in and be able to unsubscribe easily.

• HR and payroll: Contractual Necessity and Legal Obligation - employee data is processed to pay wages and report to HMRC.

• CCTV monitoring: Legitimate Interests - to prevent theft or ensure security, provided you’ve carried out an LIA and displayed clear signage.

If you process children’s data, “special category” data (like health, religion, or biometrics), or data for new technologies (AI, tracking, etc.), additional safeguards apply.

Documenting and Communicating Your Lawful Basis

Once you’ve chosen your lawful bases, you must both record and communicate them clearly.

• Record your reasoning: Update your Record of Processing Activities (RoPA) and internal compliance logs.

• Update your Privacy Policy: Be transparent - explain which lawful basis applies to each type of processing.

• Be ready for questions: Under the right to be informed, individuals can ask which basis you rely on.

• Manage consent properly: Make consent easy to withdraw and track when it’s withdrawn.

Extra Tips for Small Business Compliance

• Train your staff: Everyone handling data should know the basics of UK GDPR.

• Collect only what you need: Avoid unnecessary data collection.

• Review regularly: As your processes evolve, so must your compliance documentation.

• Get advice when unsure: A quick consultation with a data protection lawyer can save you from major issues later.

Further Legal Requirements: Beyond the Lawful Basis

Identifying your lawful basis is just the start. You also need to:

• Appoint a Data Protection Officer (DPO) if required by Article 37 UK GDPR.

• Have written contracts (Data Processing Agreements) with any third-party processors.

• Be ready for data subject rights requests (access, correction, deletion, etc.).

• Report qualifying data breaches to the ICO within 72 hours.

For more details, see our UK GDPR compliance and startup legal checklists.

Key Takeaways

• Every UK business processing personal data must document a lawful basis for each processing activity.

• The six lawful bases are: Consent, Contractual Necessity, Legal Obligation, Vital Interests, Public Task, and Legitimate Interests.

• Choosing the correct lawful basis protects you from ICO enforcement and strengthens trust.

• Record your reasoning and reflect it in your Privacy Policy and compliance documents.

• When in doubt, seek expert advice - the wrong lawful basis can invalidate your entire processing.

Setting up your data protection compliance correctly from day one protects your business, builds customer trust, and helps you grow confidently.

If you’d like practical legal help with data protection or privacy compliance, contact us at team@sprintlaw.co.uk or call 08081347754 for a free, no-obligations chat with one of our friendly legal experts.