What Are The 6 Lawful Bases for Processing Data?

Lawfulness, fairness and transparency are the first of the seven principles of UK GDPR. Lawfulness relates to the fact that there must be a good reason to process someone’s data. They must also give you consent before you go ahead with processing it. If there’s no good reason for doing it and you don’t have their permission, it’s deemed unlawful. It’s also, therefore, a breach of the regulations.

To comply with the lawfulness of data processing, at least one of the six lawful bases must apply. But, do you know what they are and what they mean? Let’s take a closer look at each of the six bases you need to know about, to ensure you’re compliant with the UK GDPR.

One or more of the following must apply whenever personal data is processed. The six lawful bases are:

• Consent – the data subject/individual has given consent for you to process their data for one or more specific purposes.
• If you rely on this basis, you must prove that consent has been given. Good record-keeping is vital because the data subject can withdraw consent at any time
• Contract – processing personal data is necessary to fulfil a contract with the individual or before entering into a new contract.
• The contract doesn’t have to be formal, written, or legal. It can be an oral statement. It just needs to meet the requirements of contract law
• Legal obligation – processing the data is required for you to comply with the law.
• Any documents you retain must refer to the specific legal provision you comply with. Again, make sure you keep all records – it’s essential.
• Vital interests– data processing is necessary to protect the individual’s or someone else’s life.
• This lawful basis is used in emergency medical care situations
• Public task– processing the data is necessary for you to perform a job that is in the public interest or your official functions, which has a clear basis in law.

Article (6) 1 of the GDPR Data Protection Act confirms that this includes the processing of an individual’s data that is necessary for:

1. the administration of justice
2. the exercise of a function of either House of Parliament
3. the exercise of a function conferred on a person by an enactment or the rule of law
4. the exercise of a function of the Crown, a Minister of the Crown, or a government department
5. an activity that supports or promotes democratic engagement

• Legitimate interests– the processing of personal data is necessary for your legitimate interests or that of a third party.

• The exception is when there’s a good reason to protect the individual’s personal information that overrides those legitimate interests. (If you are a public authority processing personal data to perform official tasks, this cannot apply)
• This lawful basis has the most wriggle room because a legitimate interest could apply to any data processing you carry out. But, you must still judge whether your data processing interests are legitimate. The three-part test from the Information Commissioner’s Office will help you to decide.
• Legitimate interests may include processing employee data, data that prevents fraud or data for marketing purposes

You can’t process personal data if no lawful basis applies. It means you are in breach of the first principle of UK GDPR.

If people become aware that you’ve processed their data unlawfully, they have the right to have that data erased. You can be heavily fined for this breach. So, it makes business sense to do things by the law.

Halfords, the UK’s largest retailer of motoring and cycling products and services, was fined £30,000 for sending under 500,000 unsolicited marketing emails to people without their consent.

In July 2020, the retailer sent out a direct marketing email about a “Fix Your Bike” government scheme, allowing people to use a voucher worth up to £50 toward the cost of repairing a bike in some approved retailers across the country.

Halfords was one of these retailers, but they used this to promote their services by encouraging people to book a free bicycle assessment and redeem the voucher in their stores. This amounted to them marketing their services to generate income for them.

Halfords claimed they had a legitimate interest in processing personal data in this way. However, the ICO found that the email was used for advertising Halfords’ services.

There are a few approaches when it comes to lawful bases. It depends on the purpose of your processing. Consider why you must process the data and cross-reference with the six bases to see which best suits the circumstances.

You may need to apply more than one basis and if so, you must document all of them.

Questions to ask may include:

• Who benefits from the processing?
• Is this how an individual would expect their data to be processed?
• What’s the relationship between you and the individual?
• Is the individual vulnerable?
• Can you stop the processing of their data immediately upon their request?

UK data laws can be hard to understand, and Art 6 GDPR may be difficult to remember. Take the pressure off yourself and your employees with a GDPR course that can be completed in your own time. Our course explains GDPR legislation, its seven principles and key terms. It’ll certainly give you and your team a better understanding of the consequences of non-compliance.