A guide to lawful basis

Contents

Latest updates - 02 April 2026

02 April 2026 - we have updated this guidance to reflect amendments introduced by the Data (Use and Access) Act and to follow the ICO's latest style guide.

07 October 2022 - We have updated our position on needing a new lawful basis when your purpose for processing changes. The update can be found under the ‘What happens if we have a new purpose?’ section. You now need to consider whether you need a new lawful basis if your purposes for processing personal data change.

At a glance

You must have a valid lawful basis to handle personal information.
There are seven lawful bases available for you to use. No single basis is ’better’ or more important than the others. The most appropriate basis depends on your purpose and relationship with the person.
Most lawful bases say that what you want to do must be ‘necessary’. If you can reasonably achieve the same purpose without the processing, you won’t have a lawful basis.
You must determine your lawful basis before you start using the personal information and you must document it.
Take care to get it right first time - you should not swap to a different lawful basis at a later date without good reason. In particular, you can’t usually swap from consent to a different basis.
You must include your lawful basis and your purposes for using the personal information in your privacy information.
If your purposes change, you must identify a lawful basis for the new purpose. Your original lawful basis may not always be appropriate.
If you want to use special category data, you must identify both a lawful basis and an additional condition for using this type of information.
If you want to use criminal conviction data or information about offences, you must identify both a lawful basis and an additional condition for using this type of information (if you don’t have official authority to use the information).

In brief

What are the lawful bases?
When is processing ‘necessary’?
Why is the lawful basis important?
How do we decide which lawful basis applies?
Is this different for public authorities?
Can we change our lawful basis?
What happens if we have a new purpose?
How do we document our lawful basis?
What do we need to tell people?
What if we want to use special category data?
What if we want to use criminal offence data?
Checklist

What are the lawful bases?

The lawful bases are set out in article 6 of the UK GDPR. You must apply at least one of these whenever you want to handle personal information:

(a) Consent: the person has clearly given consent for you to use their information for a specific purpose.

(b) Contract: the processing is necessary for a contract you have with the person, or because they have asked you to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions and the task or function has a clear basis in law.

(ea) Recognised legitimate interest: the processing is necessary for one of the pre-approved purposes. These are:

- - safeguarding “vulnerable” people;
  - responding to emergencies;
  - preventing or investigating crime;
  - national security, public security and defence; and
  - sharing personal information with an organisation that needs it for their public task or function at their request.

This basis can’t apply if you’re a public authority processing personal information to perform your official tasks.

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the person’s information which overrides those legitimate interests. This basis can’t apply if you’re a public authority handling personal information to perform your official tasks.

Further reading – ICO guidance

When is processing ‘necessary’?

Many of the lawful bases depend on your use of the personal information being “necessary”. This doesn’t mean that using the personal information has to be absolutely essential. However, it must be more than just useful and more than standard practice. It must be a targeted and proportionate way of achieving a specific purpose. The lawful basis won’t apply if you can reasonably achieve the purpose by some other less intrusive means or by processing less personal information.

It is not enough to argue that handling the personal information is necessary because you operate your business in a particular way. The question is whether the use of personal information is objectively necessary for your stated purpose, not if it’s a necessary part of your chosen methods.

Why is the lawful basis important?

The UK GDPR says that you must handle all personal information:

lawfully;
fairly; and
transparently.

If no lawful basis applies, your use of the personal information will be in breach of this principle and therefore unlawful.

People also have the right to have their information erased if it has been handled unlawfully.

The UK GDPR’s right to be informed says you must provide people with information about your lawful basis. This means you must include these details in your privacy information.

The lawful basis you use can also affect which rights are available to people. For example, some rights won’t apply. The table below lists the lawful bases and highlights if the rights to erasure, portability and object aren’t available:

	Right to erasure	Right to portability	Right to object
Consent			x but right to withdraw consent
Contract			x
Legal obligation	x	x	x
Vital interests		x	x
Public task	x	x
Recognised legitimate interest		x
Legitimate interests		x

However, people have the absolute right to object to the use of their information for the purposes of direct marketing, whatever lawful basis applies.

The remaining rights aren’t always absolute. There are other rights which may be affected in other ways. For example:

your lawful basis may affect how provisions about automated decisions and profiling apply; and
if you’re relying on legitimate interests, you must have more detail in your privacy information (the right to be informed).

Further reading – ICO guidance

A guide to individual rights

How do we decide which lawful basis applies?

This depends on your specific purposes and the context of what you want to use the personal information for. You should think about why you want to use the information and consider which lawful basis best fits the circumstances.

You might consider that more than one basis applies to your purpose. If you decide that more than one basis does apply, you must identify and document all of them from the start.

You should not adopt a one-size-fits-all approach. No one basis is always better, safer or more important than the others. There is no hierarchy in the order of the list in the UK GDPR.

Several of the lawful bases link to a particular specified purpose, these are:

a legal obligation;
performing a contract with the person;
protecting someone’s vital interests; and
performing your public tasks.

Or cover pre-approved purposes, these are:

emergencies;
safeguarding “vulnerable” people;
preventing or investigating crime;
national security, public security and defence; and
sharing personal information with an organisation that needs it for their public task or function (at their request).

If you want to handle personal information for a specified or pre-approved purpose then the appropriate lawful basis may well be obvious, so it is helpful to consider these first.

In other cases, you’re likely to have a choice between using legitimate interests or consent. You should give some thought to the wider context, including:

Who will benefit from what you want to do?
Would people expect you to use their information?
What is your relationship with the person?
Are you in a position of power over them?
How will what you want to do impact the person?
Are they at greater risk of harm than other people?
Are some people likely to object to what you want to do?
Can you stop using the personal information at any time on request?

You may prefer to consider legitimate interests as your lawful basis if:

you wish to keep control and take responsibility for demonstrating that it is in line with people’s reasonable expectations; and
what you want to do wouldn’t have an unwarranted impact on them.

On the other hand, if you prefer to give people full control over and responsibility for their information (including the ability to change their mind as to whether you can continue using it), you may want to consider relying on consent.

It’s likely you’ll want to use personal information for different purposes. In some circumstances, you may find that a different lawful basis applies to each of your activities.

Other ICO resources

We’ve produced the lawful basis interactive guidance tool to give more tailored guidance on which lawful basis is likely to be most appropriate for your processing activities.

Is this different for public authorities?

The basic approach is the same. You should think about your purposes and choose whichever basis fits best.

The Data Protection Act 2018 (DPA) says that “public authority” means a public authority under the Freedom of Information Act or Freedom of Information (Scotland) Act – with the exception of parish and community councils.

If you’re a public authority, much of what you do is likely to be covered by the public task basis. You can use this basis if you can demonstrate that your use of the personal information is necessary to perform your tasks as set down in UK law or “relevant international law”.

If you’re a public authority, there are some limitations on your ability to use consent, legitimate interests and recognised legitimate interest as a lawful basis. But you may still be able to consider these three lawful bases in some cases, depending on the nature of the processing and your relationship with the person. For more information, see the specific guidance on each lawful basis in the further reading box.

Example

A university that wants to handle personal information may consider a variety of lawful bases depending on what they want to do with the information.

Universities are classified as public authorities, so it’s likely that they can use the public task basis for much of what they want to do with personal information, depending on the detail of their constitutions and legal powers. If the processing is separate from their tasks as a public authority, the university should identify a different lawful basis. They may consider whether consent or legitimate interests are appropriate. For example, a university might rely on:

public task for using personal information for teaching and research purposes; and
a mixture of legitimate interests and consent for alumni relations and fundraising purposes.

However, the university should consider their basis carefully – it’s their responsibility to show which lawful basis applies to the particular processing purpose.

Further reading – ICO guidance

Can we change our lawful basis?

You must determine your lawful basis before starting to handle personal information. It’s important to get this right first time. If you find at a later date that your chosen basis was inappropriate, you may find it difficult to simply swap to a different one. Even if you might have applied a different basis from the start, it’s likely that retrospectively switching lawful bases would be inherently unfair to people and lead to breaches of accountability and transparency requirements.

Example

A company decided to use personal information on the basis of consent. A person subsequently withdrew their consent. However, the company wanted to keep using their information, so decided to swap to the legitimate interests lawful basis.

Even if the company might have originally relied on legitimate interests, they cannot do so at a later date. They cannot switch bases when they realised that the original chosen basis was inappropriate (in this case, because they didn’t want to offer people genuine ongoing control). The company didn’t make clear to people from the start that they were processing on the basis of legitimate interests. It is inherently unfair to lead people to believe they had a choice if they do not. Therefore, the company must stop using the personal information when someone withdraws their consent.

You should thoroughly assess upfront which basis is appropriate and you must document this. It may be possible that more than one basis applies because you have more than one purpose. If this is the case, then you must make this clear from the start.

Sometimes you may have a genuine change in circumstances or a new and unanticipated purpose. This means there is a good reason to review your lawful basis and make a change. However, you must tell people about this before doing anything new with their information (unless an exception applies) and document the change.

What happens if we have a new purpose?

If your purposes change over time or you have a new purpose which you didn’t originally anticipate, you must comply with the purpose limitation principle. In summary, you can only go ahead with what you want to do if the new purpose is compatible with the original purpose. The UK GDPR provides a set of rules to help you determine if your new purpose is ‘compatible’. These differ slightly depending on whether you originally collected the personal information under the consent lawful basis. It also includes a list of reuses compatible with your original purpose. In other circumstances, you must assess compatibility.

All processing must be lawful. This means you must identify a lawful basis for your new purpose. The original basis you used to collect the personal information may not always be appropriate for your new use of the information.

In most cases, it’s likely to be obvious which lawful basis is appropriate. For example:

if you need to further use personal information to comply with a legal obligation, such as a court order, your lawful basis is likely to be legal obligation; or
if you’re relying on a legal provision allowing the new use of personal information in the public interest, your lawful basis is likely to be public task.

There are also several compatible purposes listed in annex 2 of the UK GDPR. These are similar to the conditions in the recognised legitimate interest lawful basis. Therefore, if you’re processing for one of these compatible purposes, recognised legitimate interest may apply as your lawful basis (unless you’re a public authority and the reuse is for your public tasks).

If your new processing is for research purposes, in most circumstances your lawful basis is likely to be either public task or legitimate interests.

If you’re getting consent for your new purpose, then your lawful basis is consent. In this case, the processing for the new purpose is considered as compatible with your original purpose.

However, if you originally collected the personal information using consent, you’re more restricted in what you can reuse it for. This is because consent means giving people real choice and control over how you use their information. Consent is only valid when it is specific and informed. It won’t be valid if people don’t know and understand what you’re going to do with their information.

For reusing personal information collected using consent to be compatible you must:

get new consent that covers the new specified, legitimate and explicit purpose;
reuse the personal information to comply with a principle of the UK GDPR or to demonstrate that it does;
reuse the information for a purpose in annex 2 and it’s not reasonable to expect you to get new consent; or
reuse the information because it’s necessary to safeguard a public interest objective (as listed in article 23 of the UK GDPR) that is authorised by law and it’s not reasonable to expect you to get new consent.

You must identify another lawful basis if you’re not getting new consent.

If your proposed new purpose isn’t listed as a compatible purpose in the UK GDPR, you must first assess whether it’s compatible with your original purpose. We consider a compatibility assessment is likely to look at similar factors as a legitimate interests assessment (LIA). Although there’s no requirement to do so, you could therefore use our LIA template to help you assess compatibility. This will also help you identify your lawful basis at the same time.

If you’re using special category data, you must also identify an appropriate condition which applies to your new purpose (see the section What if we want to use special category data? for more information). Likewise, if you want to use criminal offence data for your new purpose you must meet the additional requirements for using this type of information (see the section What if we want to use criminal offence data? for more information).

Further reading – ICO guidance

For more information on reusing personal information and compatibility see our guidance on purpose limitation.

How do we document our lawful basis?

The principle of accountability means you must:

demonstrate that you’re complying with the UK GDPR and have appropriate policies and processes; and
show that you’ve properly considered which lawful basis applies to each processing purpose and can justify your decision.

Therefore, you must keep a record of which basis you’re relying on for each purpose and a justification for why you believe it applies. There is no standard form for this, as long as you ensure that what you record is sufficient to demonstrate that a lawful basis applies. This will help you comply with your accountability obligations and will also help you when writing your privacy information.

It's your responsibility to ensure that you can demonstrate which lawful basis applies to each processing purpose.

Further reading – ICO guidance

The Accountability Framework looks at the ICO’s expectations in relation to lawful basis. See also the Accountability principle.

What do we need to tell people?

You must include information about your lawful basis (or bases, if more than one applies) in your privacy information.

Under the transparency provisions of the UK GDPR, the information you must give people includes:

your intended purposes for using the personal information; and
the lawful basis you will be using.

This applies whether you collect the personal information directly from people or from another source.

Further reading – ICO guidance

For more information on your transparency obligations see our guidance on the right to be informed.

What if we want to use special category data?

If you intend to use special category data, you must identify:

a lawful basis; and
a special category condition.

You must document both your lawful basis and your special category condition so that you can demonstrate compliance and accountability.

Further reading – ICO guidance

Special category data

What if we want to use criminal offence data?

If you intend to use information about people’s criminal convictions, criminal offences or related security measures, you must have:

a lawful basis; and
either “official authority” or a separate condition for processing this information.

You must document both your lawful basis and your criminal offence data condition so that you can demonstrate compliance and accountability.

Further reading – ICO guidance

Criminal offence data

Checklist

 We’ve reviewed the purposes of our activities and selected the most appropriate lawful basis (or bases) for each activity.

 If required by the lawful basis, we’ve checked that what we want to do is necessary for our purpose and are satisfied that there is no other reasonable way to achieve that purpose.

 We’ve documented our decision on which lawful basis applies to help us demonstrate compliance.

 We’ve included information about both the purposes of the processing and the lawful basis for the processing in our privacy information.

 Where we use special category data, we’ve also identified a condition for using special category data and have documented this.

 Where we use criminal offence data, we’ve also identified a condition for using this type of information (if we don’t have official authority to use it) and have documented this.