GDPR was introduced in Europe more than a year and a half ago, designed to “fundamentally reshape the way in which data in handled”.

Despite the benefits the regulation was designed to provide, 84% of UK consumers don’t feel like their information is being properly protected. Worryingly, they might be right. It is estimated that nearly a third of European businesses are still not GDPR compliant.

GDPR states that businesses must have a valid lawful basis in order to process an individual’s personal data and defines six specific bases. Each one will be applicable in different circumstances. Generally, if you could reasonably complete a task without using an individual’s data in a less intrusive way, the basis will not apply.

Understanding each basis and knowing how to apply the guidelines for each to the information you handle can make it much easier to achieve compliance.



You may process an individual’s data if they have given you explicit consent to do so. You must be clear and direct about what you are asking individuals to consent to, so that they have reasonable expectations of how you will use their data.

This gives them control over how you use their data as it requires active participation on the part of the person involved. This means that you can’t use pre-ticked boxes, for instance, when asking for consent and you also can’t require consent to unnecessary processing as a precondition of service.


This basis applies when you need to process an individual’s data in order to fulfil a contractual obligation.

It also applies if they have asked you to do something as a requirement of entering into a contract in future, such as providing a quote based on information they have provided. This applies regardless of whether or not a contract is entered into later, providing it is clear that this was the expected result when the data was processed.

In this case, a contract does not have to be a formal written and signed document, as long as an agreement is reached and terms accepted in a way that meets the requirements of contract law.

Legal obligation

This basis applies when you need to process someone’s information to comply with another law or statutory obligation. This is separate from contractual obligations and applies to both EU and UK laws.

You should be able to specify which legal provision requires you to uses someone’s data when applying this basis to your processes.

Vital interests

Vital interest refers to when processing someone’s personal data protects their life.

This most often applies to medical patients in critical condition, such as someone who has been rushed to the emergency room with life-threatening injuries. In this case, the hospital will need access to their medical history in order to treat them. This lawful basis grants the hospital access to that information even if the patient is incapable of giving consent.

Public task

You may process a person’s data as a public task if you are doing so “in the exercise of official duty”. This includes public functions and specific tasks done by law in the public interest.

This basis is usually applied to the actions of public authorities, such as parliamentary or governmental functions, or activities that promote democratic engagement.

However, it can also be applied to non-authoritative organisations that carry out tasks in the public interest. This means it would also be relevant when processing data for scientific or statistical research.

Legitimate interest

Legitimate interest is the most flexible of the six lawful bases set out by GDPR and, by extension, the most difficult to determine. It requires you to take on the most responsibility when it comes to the data you handle as it is left largely up to your best judgement to apply it.

A legitimate interest can be your interest, the individual’s interest or the interest of a third party. An ‘interest’ can be a commercial interest, a personal interest or a broader societal interest.

You must show that you have balanced the need to process data properly and fairly. You cannot apply legitimate interest to override any of the individual’s other legal rights or freedom, including the freedom to be forgotten. This basis can only be applied as long as you are complying with any other privacy rules and regulations that are relevant in your situation.


Find out how ThreatAware can help manage your compliance and cybersecurity processes by signing up for a free trial.