Want to watch this video? Sign up for the course here. Or enter your email below to watch one free video.

Unlock This Video Now for FREE

This video is normally available to paying customers.
You may unlock this video for FREE. Enter your email address for instant access AND to receive ongoing updates and special discounts related to this topic.



Under the General Data Protection Regulations, all organisations must identify their lawful basis or bases to process data. If they cannot identify a lawful basis, they cannot process that data lawfully. The lawful basis for each processing activity should be included in the organisation's privacy policy. The GDPR sets out six lawful bases and which one is most appropriate depends on the type of processing being carried out.

The first lawful basis is consent. This is very straightforward and gives the individual real control over their data, as they can withdraw their consent at any time. Consent is not ideal for situations where an organisation need to retain data, as the individual can object to that further processing, including the storing of their data. The next lawful basis is a contract. This means that data can only be processed to fill a contract and not for any other purpose. The contract may be to provide goods and services and can also be where an individual has requested a quote for goods and there does not need to be a formal written contract in place for this basis to apply. Legal obligation, vital interest and public task are also lawful bases for processing.

The legal obligation applies where an organisation has to process personal data to comply with the law. An example would be tax information that relates to an employee, which an organisation is obliged to provide, should the HMRC or court order request it. Vital interest in most cases applies to health data, where processing would be necessary to protect the individual's life or protect someone else's life. This lawful basis is not appropriate for most businesses. Public task is most relevant to public authorities or organisations that exercise official authority and carry out the task in the public interest. One example may be a private water company who, although they are not a public authority, carry out the functions of a public administration and have legal powers to carry out utility services in the public interest.

The final lawful basis is a legitimate interest. This is the most flexible lawful basis of processing, but should not be assumed to be the best option for all processing. It is only appropriate where personal data is processed in a way that an individual would expect and in ways that have a minimal privacy risk. Before an organisation considers legitimate interest for their processing activity, they must balance their interests against those with the individuals, after completing a legitimate interest assessment and clearly documenting their decisions.