---
title: "What should teams do about Lawful Bases under the UK GDPR?"
canonical_url: "https://www.sorena.io/artifacts/uk/general-data-protection-regulation/faq/lawful-bases"
source_url: "https://www.sorena.io/artifacts/uk/general-data-protection-regulation/faq/lawful-bases"
author: "Sorena AI"
description: "UK GDPR guidance for Lawful Bases, with practical decisions, evidence, edge cases, and external source citations."
published_at: "2026-05-09"
updated_at: "2026-05-09"
keywords:
  - "UK GDPR"
  - "Lawful Bases"
  - "UK GDPR Lawful Bases"
  - "compliance checklist"
  - "practical guidance"
  - "Compliance"
  - "Regulatory guidance"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# What should teams do about Lawful Bases under the UK GDPR?

UK GDPR guidance for Lawful Bases, with practical decisions, evidence, edge cases, and external source citations.

*Artifact Guide* *UK* *Lawful Bases*

## UK GDPR Lawful Bases

Lawful Bases decisions under the UK GDPR should be written in operational language: who is in scope, what must happen, what evidence proves it, and when escalation is needed.

This guide converts requirements into implementation-ready ownership, evidence, and review decisions. It is practical guidance, supporting implementation planning and should be validated against jurisdiction-specific legal, contractual, and policy requirements before implementation.

The UK GDPR has seven lawful bases: consent, contract, legal obligation, vital interests, public task, legitimate interests, and recognised legitimate interest. Teams should pick the basis that matches the actual purpose of the processing and document why it applies before they start processing personal data.

## How should teams choose a lawful basis under the UK GDPR?

Teams should treat Lawful Bases under the UK GDPR as a source-linked operating decision: confirm whether the issue affects controller/processor roles, lawful basis, transparency, DPIA, data-subject rights, breach notification, IDTA/Addendum transfers, children data, or ICO enforcement exposure, assign the team that can change the process, and keep evidence showing the action and review trigger.

The safest first step is to identify the controller/processor role, purpose, lawful basis, special-category status, right, breach, transfer, or child-data trigger before assigning the UK GDPR action.

- Write the Lawful Bases decision in one sentence before drafting controls.
- Attach the external source URL and a short source quote to the evidence record.
- Route unclear cases to legal, privacy, security, or compliance review before launch.

Sources for this answer:

- [ICO guide to lawful basis](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/a-guide-to-lawful-basis/?ref=sorena.io) - ICO guidance confirms Article 6 lawful bases and the need to choose at least one before handling personal information.
- [ICO guide to data protection principles](https://ico.org.uk/for-organisations/uk-GDPR-guidance-and-resources/data-protection-principles/a-guide-to-the-data-protection-principles/?ref=sorena.io) - ICO principles guidance supports linking lawful basis decisions to fairness, transparency, accountability, and documented processing controls.
- [UK ICO artificial intelligence guidance](https://ico.org.uk/for-organisations/uk-GDPR-guidance-and-resources/artificial-intelligence/?ref=sorena.io) - Directly supports the FAQ answer by tying processing decisions to Article 6 lawful-basis selection and evidence.

## What evidence should teams keep for Lawful Bases under the UK GDPR?

Useful evidence is not just a privacy notice. Keep the source, lawful-basis note, DPIA, rights log, breach assessment, transfer mechanism, processor terms, and approval trail together.

- Source URL and quote used for the decision.
- Scope notes, screenshots, data-flow or system references, and role mapping.
- Implementation ticket, approval record, exception notes, and review date.

Sources for this answer:

- [ICO guide to lawful basis](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/a-guide-to-lawful-basis/?ref=sorena.io) - ICO guidance confirms Article 6 lawful bases and the need to choose at least one before handling personal information.
- [UK ICO artificial intelligence guidance](https://ico.org.uk/for-organisations/uk-GDPR-guidance-and-resources/artificial-intelligence/?ref=sorena.io) - Supports evidence guidance by connecting lawful-basis decisions to accountability records and review material.
- [Guidance on AI and Data Protection](https://ico.org.uk/for-organisations/uk-GDPR-guidance-and-resources/artificial-intelligence/guidance-on-ai-and-data-protection/?ref=sorena.io) - Supports evidence guidance by connecting lawful-basis decisions to accountability records and review material.

## Which mistakes create risk when handling Lawful Bases under the UK GDPR?

The common failure pattern is copying an EU GDPR answer without checking UK GDPR wording, DPA 2018 limits, ICO guidance, UK transfer tools, PECR overlap, and post-Brexit divergence.

- Using an old threshold, deadline, source page, or contract template without checking current source text.
- Treating a source-linked exception as a general exemption for every product or data flow.
- Publishing notices, controls, or answers that do not match the actual product behavior.

Sources for this answer:

- [Article 30 Record of Processing Activities](https://ico.org.uk/media2/migrated/2172937/GDPR-documentation-controller-template.xlsx?ref=sorena.io) - Risk and boundary support for the FAQ answer.
- [A Guide to the Data Protection Principles](https://ico.org.uk/for-organisations/uk-GDPR-guidance-and-resources/data-protection-principles/a-guide-to-the-data-protection-principles/?ref=sorena.io) - Risk and boundary support for the FAQ answer.
- [UK ICO artificial intelligence guidance](https://ico.org.uk/for-organisations/uk-GDPR-guidance-and-resources/artificial-intelligence/?ref=sorena.io) - Risk and boundary support for the FAQ answer.
- [Guidance on AI and Data Protection](https://ico.org.uk/for-organisations/uk-GDPR-guidance-and-resources/artificial-intelligence/guidance-on-ai-and-data-protection/?ref=sorena.io) - Risk and boundary support for the FAQ answer.

## Primary sources

- [ICO guide to lawful basis](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/a-guide-to-lawful-basis/?ref=sorena.io) - ICO guidance confirms Article 6 lawful bases and the need to choose at least one before handling personal information.
  - Quote: "You must apply at least one of these whenever you want to handle personal information"
- [ICO guide to data protection principles](https://ico.org.uk/for-organisations/uk-GDPR-guidance-and-resources/data-protection-principles/a-guide-to-the-data-protection-principles/?ref=sorena.io) - ICO principles guidance supports linking lawful basis decisions to fairness, transparency, accountability, and documented processing controls.
  - Quote: "The principles lie at the heart of the UK GDPR"
- [UK ICO artificial intelligence guidance](https://ico.org.uk/for-organisations/uk-GDPR-guidance-and-resources/artificial-intelligence/?ref=sorena.io) - Supports the lawful-bases answer by confirming the UK GDPR basis, principle, or documentation step that must be evidenced.
  - Quote: "Detailed guidance A detailed overview of how to apply the principles of the UK GDPR to the use"
- [Guidance on AI and Data Protection](https://ico.org.uk/for-organisations/uk-GDPR-guidance-and-resources/artificial-intelligence/guidance-on-ai-and-data-protection/?ref=sorena.io) - Supports the lawful-bases answer by confirming the UK GDPR basis, principle, or documentation step that must be evidenced.
  - Quote: "How are solely automated decision-making and relevant safeguards linked to fairness, and key questions to ask when considering"
- [ICO records of processing and lawful basis](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/accountability-framework/records-of-processing-and-lawful-basis/?ref=sorena.io) - ICO accountability framework connects ROPA completeness with documenting and justifying lawful bases under Articles 6, 9, and 10.
  - Quote: "You document and appropriately justify your organisation's lawful basis"

## Topic Guides

- [UK GDPR 72-hour Breach Reporting Guide](/artifacts/uk/general-data-protection-regulation/72-hour-breach-reporting.md): UK GDPR guidance for 72-hour Breach Reporting, with practical decisions, evidence, edge cases, and external source citations.
- [UK GDPR Adequacy Guide](/artifacts/uk/general-data-protection-regulation/adequacy.md): UK GDPR guidance for Adequacy, with practical decisions, evidence, edge cases, and external source citations.
- [UK GDPR AI And Automated Decisions Guide](/artifacts/uk/general-data-protection-regulation/ai-and-automated-decisions.md): UK GDPR guidance for AI And Automated Decisions, with practical decisions, evidence, edge cases, and external source citations.
- [UK GDPR Applicability Test Guide](/artifacts/uk/general-data-protection-regulation/applicability-test.md): Practical guidance for the UK GDPR applicability test, with practical decisions, evidence, edge cases, and external source citations.
- [UK GDPR Article 30 Records Guide](/artifacts/uk/general-data-protection-regulation/article-30-records.md): UK GDPR guidance for Article 30 Records, with practical decisions, evidence, edge cases, and external source citations.
- [UK GDPR Breach Notification Guide](/artifacts/uk/general-data-protection-regulation/breach-notification.md): UK GDPR guidance for Breach Notification, with practical decisions, evidence, edge cases, and external source citations.
- [UK GDPR Breach Workflow Guide](/artifacts/uk/general-data-protection-regulation/breach-workflow.md): UK GDPR guidance for Breach Workflow, with practical decisions, evidence, edge cases, and external source citations.
- [UK GDPR Children And Age Appropriate Design Guide](/artifacts/uk/general-data-protection-regulation/children-and-age-appropriate-design.md): UK GDPR guidance for Children And Age Appropriate Design, with practical decisions, evidence, edge cases, and external source citations.
- [UK GDPR Children's Code Guide](/artifacts/uk/general-data-protection-regulation/children-s-code.md): UK GDPR guidance for Children's Code, with practical decisions, evidence, edge cases, and external source citations.
- [UK GDPR Compliance Checklist](/artifacts/uk/general-data-protection-regulation/checklist.md): Practical guidance for the UK GDPR checklist, with practical decisions, evidence, edge cases, and external source citations.
- [UK GDPR Compliance FAQ](/artifacts/uk/general-data-protection-regulation/faq.md): Practical guidance for the UK GDPR FAQ, with practical decisions, evidence, edge cases, and external source citations.
- [UK GDPR Compliance Guide](/artifacts/uk/general-data-protection-regulation/compliance.md): Practical guidance for the UK GDPR compliance, with practical decisions, evidence, edge cases, and external source citations.
- [UK GDPR Controller And Processor Status Guide](/artifacts/uk/general-data-protection-regulation/controller-and-processor-status.md): UK GDPR guidance for Controller And Processor Status, with practical decisions, evidence, edge cases, and external source citations.
- [UK GDPR Data Subject Rights Guide](/artifacts/uk/general-data-protection-regulation/data-subject-rights.md): UK GDPR guidance for Data Subject Rights, with practical decisions, evidence, edge cases, and external source citations.
- [UK GDPR Deadlines and Compliance Calendar Guide](/artifacts/uk/general-data-protection-regulation/deadlines-and-compliance-calendar.md): UK GDPR guidance for Deadlines and Compliance Calendar, with practical decisions, evidence, edge cases, and external source citations.
- [UK GDPR DPIA Workflow Guide](/artifacts/uk/general-data-protection-regulation/dpia-workflow.md): UK GDPR guidance for DPIA Workflow, with practical decisions, evidence, edge cases, and external source citations.
- [UK GDPR DPIAs And DPOs Guide](/artifacts/uk/general-data-protection-regulation/dpias-and-dpos.md): UK GDPR guidance for DPIAs And DPOs, with practical decisions, evidence, edge cases, and external source citations.
- [UK GDPR DSAR Workflow Guide](/artifacts/uk/general-data-protection-regulation/dsar-workflow.md): UK GDPR guidance for DSAR Workflow, with practical decisions, evidence, edge cases, and external source citations.
- [UK GDPR IDTA Addendum and Transfer Risk Assessment Guide](/artifacts/uk/general-data-protection-regulation/idta-addendum-and-transfer-risk-assessment.md): UK GDPR guidance for IDTA addendum and transfer risk assessment, with practical decisions, evidence, edge cases, and external source citations.
- [UK GDPR IDTA vs EU SCCs Guide](/artifacts/uk/general-data-protection-regulation/idta-vs-eu-sccs.md): UK GDPR guidance for IDTA vs EU SCCs, with practical decisions, evidence, edge cases, and external source citations.
- [UK GDPR Lawful Bases Guide](/artifacts/uk/general-data-protection-regulation/lawful-bases.md): UK GDPR guidance for Lawful Bases, with practical decisions, evidence, edge cases, and external source citations.
- [UK GDPR PECR Cookies Guide](/artifacts/uk/general-data-protection-regulation/pecr-cookies.md): UK GDPR and PECR cookie guidance with practical consent, exemption, evidence, and source-linked implementation decisions.
- [UK GDPR penalties and fines Guide](/artifacts/uk/general-data-protection-regulation/penalties-and-fines.md): UK GDPR guidance for penalties and fines, with practical decisions, evidence, edge cases, and external source citations.
- [UK GDPR Requirements Guide](/artifacts/uk/general-data-protection-regulation/requirements.md): Practical guidance for the UK GDPR requirements, with practical decisions, evidence, edge cases, and external source citations.
- [UK GDPR Transfer Workflow Guide](/artifacts/uk/general-data-protection-regulation/transfer-workflow.md): UK GDPR guidance for Transfer Workflow, with practical decisions, evidence, edge cases, and external source citations.
- [UK GDPR Transfers, IDTA, and UK Addendum Guide](/artifacts/uk/general-data-protection-regulation/transfers-idta-and-uk-addendum.md): UK GDPR guidance for transfers, IDTA, and UK Addendum, with practical decisions, evidence, edge cases, and external source citations.
- [UK GDPR UK vs EU Differences Guide](/artifacts/uk/general-data-protection-regulation/uk-vs-eu-differences.md): UK GDPR guidance for UK vs EU Differences, with practical decisions, evidence, edge cases, and external source citations.
- [UK GDPR UK vs EU GDPR Differences Guide](/artifacts/uk/general-data-protection-regulation/uk-vs-eu-gdpr-differences.md): UK GDPR guidance for UK vs EU GDPR Differences, with practical decisions, evidence, edge cases, and external source citations.
- [UK GDPR vs Data Protection Act 2018 Guide](/artifacts/uk/general-data-protection-regulation/uk-gdpr-vs-data-protection-act-2018.md): UK GDPR guidance for UK GDPR vs Data Protection Act 2018, with practical decisions, evidence, edge cases, and external source citations.
- [UK GDPR vs EU GDPR Guide](/artifacts/uk/general-data-protection-regulation/uk-gdpr-vs-eu-gdpr.md): UK GDPR guidance for UK GDPR vs EU GDPR, with practical decisions, evidence, edge cases, and external source citations.
- [What should teams do about 72-hour Breach Reporting under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/72-hour-breach-reporting.md): UK GDPR guidance for 72-hour Breach Reporting, with practical decisions, evidence, edge cases, and external source citations.
- [What should teams do about Adequacy under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/adequacy.md): UK GDPR guidance for Adequacy, with practical decisions, evidence, edge cases, and external source citations.
- [What should teams do about AI And Automated Decisions under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/ai-and-automated-decisions.md): UK GDPR guidance for AI And Automated Decisions, with practical decisions, evidence, edge cases, and external source citations.
- [What should teams do about Article 30 Records under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/article-30-records.md): UK GDPR guidance for Article 30 Records, with practical decisions, evidence, edge cases, and external source citations.
- [What should teams do about Children's Code under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/children-s-code.md): UK GDPR guidance for Children's Code, with practical decisions, evidence, edge cases, and external source citations.
- [What should teams do about Controller And Processor Status under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/controller-and-processor-status.md): UK GDPR guidance for Controller And Processor Status, with practical decisions, evidence, edge cases, and external source citations.
- [What should teams do about DPIAs under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/dpias.md): UK GDPR guidance for DPIAs, with practical decisions, evidence, edge cases, and external source citations.
- [What should teams do about DPOs under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/dpos.md): UK GDPR guidance for DPOs, with practical decisions, evidence, edge cases, and external source citations.
- [What should teams do about IDTA addendum and transfer risk assessment under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/idta-addendum-and-transfer-risk-assessment.md): UK GDPR guidance for IDTA addendum and transfer risk assessment, with practical decisions, evidence, edge cases, and external source citations.
- [What should teams do about PECR Cookies under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/pecr-cookies.md): UK GDPR guidance for PECR Cookies, with practical decisions, evidence, edge cases, and external source citations.

*Recommended next step*

*Placement: after the practical guidance*

## Turn UK GDPR Lawful Bases into assigned work

This UK GDPR guide turns Lawful Bases into owners, evidence requests, review checkpoints, and reusable operating records for implementation execution.

- [Open Assessment Autopilot for UK GDPR](/solutions/assessment.md): Turn Lawful Bases into scoped questions, evidence fields, and review tasks.
- [Review UK GDPR source evidence](/solutions/research-copilot.md): Use Research Copilot to answer follow-up questions with cited source material.
- [Talk through implementation](/contact.md): Review scope, evidence, owners, and the next compliance actions with Sorena.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/uk/general-data-protection-regulation/faq/lawful-bases