UK GDPR Lawful Bases

Start by identifying the processing purpose and matching it to the lawful basis that fits the facts: consent for a clear permission-based use; contract where processing is needed to perform or take steps before a contract; legal obligation where the law requires the processing; vital interests where processing protects life; public task where the controller needs it to carry out a task in the public interest or official authority; or legitimate interests where the controller or a third party has a legitimate purpose that is not overridden by the individual's interests, rights, or freedoms.

A useful decision should name the exact basis, explain why the other bases do not fit, and keep the UK GDPR source, DPA 2018 context, role map, and supporting evidence together.

Ownership should sit with the team that controls the processing purpose, system behavior, vendor terms, transfer mechanism, rights channel, breach process, or child-user journey.

Evidence should show role mapping, lawful basis, Article 9/10 basis where needed, transparency wording, DPIA outcome, DSAR response, breach assessment, transfer mechanism, processor terms, and ICO escalation note.

Most UK GDPR mistakes happen at the boundary between UK GDPR, DPA 2018, PECR, EU GDPR divergence, IDTA/Addendum transfer rules, children data, and processor/subprocessor duties.

Use this section before approving a new processing purpose, vendor, transfer, profiling flow, DSAR workflow, breach process, or child-facing product change.

Use a UK GDPR workflow that captures role, purpose, lawful basis, special-category status, DPIA trigger, rights/breach/transfer trigger, evidence, owner, and review date.

The output should be a lawful-basis note, DPIA decision, privacy notice update, DSAR record, breach assessment, transfer pack, processor clause map, or ICO response record.