---
title: "UK GDPR Lawful Bases Guide"
canonical_url: "https://www.sorena.io/artifacts/uk/general-data-protection-regulation/lawful-bases"
source_url: "https://www.sorena.io/artifacts/uk/general-data-protection-regulation/lawful-bases"
author: "Sorena AI"
description: "UK GDPR guidance for Lawful Bases, with practical decisions, evidence, edge cases, and external source citations."
published_at: "2026-05-09"
updated_at: "2026-05-09"
keywords:
  - "UK GDPR"
  - "Lawful Bases"
  - "UK GDPR Lawful Bases"
  - "compliance checklist"
  - "practical guidance"
  - "Compliance"
  - "Regulatory guidance"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# UK GDPR Lawful Bases Guide

UK GDPR guidance for Lawful Bases, with practical decisions, evidence, edge cases, and external source citations.

*Artifact Guide* *UK* *Lawful Bases*

## UK GDPR Lawful Bases

Lawful Bases decisions under the UK GDPR should name the exact basis, explain why it fits the processing, and record the evidence that supports the choice.

The six UK GDPR lawful bases are consent, contract, legal obligation, vital interests, public task, and legitimate interests. This guide turns them into an implementation-ready decision aid with ownership, evidence, and review steps, and it should be validated against jurisdiction-specific legal, contractual, and policy requirements before implementation.

This page explains the six UK GDPR lawful bases - consent, contract, legal obligation, vital interests, public task, and legitimate interests - and gives a practical way to choose between them for a processing activity.

## What should teams decide about Lawful Bases under the UK GDPR?

Start by identifying the processing purpose and matching it to the lawful basis that fits the facts: consent for a clear permission-based use; contract where processing is needed to perform or take steps before a contract; legal obligation where the law requires the processing; vital interests where processing protects life; public task where the controller needs it to carry out a task in the public interest or official authority; or legitimate interests where the controller or a third party has a legitimate purpose that is not overridden by the individual's interests, rights, or freedoms.

A useful decision should name the exact basis, explain why the other bases do not fit, and keep the UK GDPR source, DPA 2018 context, role map, and supporting evidence together.

- Define the exact Lawful Bases trigger and the business process it affects.
- Record which role, product, system, customer group, or data flow is in scope.
- Attach the source-linked rule, the owner, and the evidence field before approving the control.
- Use the six lawful bases as the first decision step, then check whether special-category or criminal-offence data needs an additional condition.
- Escalate uncertainty when the facts depend on thresholds, exemptions, cross-border activity, vulnerable users, or enforcement-sensitive wording.

Sources for this answer:

- [Article 30 Record of Processing Activities](https://ico.org.uk/media2/migrated/2172937/GDPR-documentation-controller-template.xlsx?ref=sorena.io) - ICO Article 30 template support for documenting each processing activity, including the lawful-basis evidence teams need to keep with the decision.
- [A Guide to the Data Protection Principles](https://ico.org.uk/for-organisations/uk-GDPR-guidance-and-resources/data-protection-principles/a-guide-to-the-data-protection-principles/?ref=sorena.io) - Primary source support for the Lawful Bases decision.
- [UK ICO artificial intelligence guidance](https://ico.org.uk/for-organisations/uk-GDPR-guidance-and-resources/artificial-intelligence/?ref=sorena.io) - Primary source support for the Lawful Bases decision.

## Who should own Lawful Bases, and what evidence should prove the decision?

Ownership should sit with the team that controls the processing purpose, system behavior, vendor terms, transfer mechanism, rights channel, breach process, or child-user journey.

Evidence should show role mapping, lawful basis, Article 9/10 basis where needed, transparency wording, DPIA outcome, DSAR response, breach assessment, transfer mechanism, processor terms, and ICO escalation note.

- Name one accountable owner and one reviewer for the Lawful Bases workflow.
- Keep source screenshots or source links, decision notes, implementation tickets, and approval records together.
- Use dated evidence for deadlines, notices, risk assessments, contracts, user journeys, and regulator-facing records.
- Review the evidence after product changes, new markets, new vendors, enforcement updates, or material changes in the source text.

Sources for this answer:

- [A Guide to the Data Protection Principles](https://ico.org.uk/for-organisations/uk-GDPR-guidance-and-resources/data-protection-principles/a-guide-to-the-data-protection-principles/?ref=sorena.io) - Evidence and ownership support for UK GDPR.
- [UK ICO artificial intelligence guidance](https://ico.org.uk/for-organisations/uk-GDPR-guidance-and-resources/artificial-intelligence/?ref=sorena.io) - Evidence and ownership support for UK GDPR.
- [Guidance on AI and Data Protection](https://ico.org.uk/for-organisations/uk-GDPR-guidance-and-resources/artificial-intelligence/guidance-on-ai-and-data-protection/?ref=sorena.io) - Evidence and ownership support for UK GDPR.

## Which edge cases should teams check before relying on a Lawful Bases decision?

Most UK GDPR mistakes happen at the boundary between UK GDPR, DPA 2018, PECR, EU GDPR divergence, IDTA/Addendum transfer rules, children data, and processor/subprocessor duties.

Use this section before approving a new processing purpose, vendor, transfer, profiling flow, DSAR workflow, breach process, or child-facing product change.

- Check whether the rule changes for minors, consumers, business users, public-sector bodies, regulated sectors, high-risk services, or cross-border transfers.
- Separate binding law, regulator guidance, consultation material, standards, and enforcement commentary in the evidence record.
- Do not rely on a previous answer if the data categories, user interface, vendor role, or contractual flow changed.
- Track unresolved assumptions in an open-questions section and route legal interpretation points for review.

Sources for this answer:

- [Article 30 Record of Processing Activities](https://ico.org.uk/media2/migrated/2172937/GDPR-documentation-controller-template.xlsx?ref=sorena.io) - Boundary and edge-case support for this artifact page.
- [A Guide to the Data Protection Principles](https://ico.org.uk/for-organisations/uk-GDPR-guidance-and-resources/data-protection-principles/a-guide-to-the-data-protection-principles/?ref=sorena.io) - Boundary and edge-case support for this artifact page.
- [UK ICO artificial intelligence guidance](https://ico.org.uk/for-organisations/uk-GDPR-guidance-and-resources/artificial-intelligence/?ref=sorena.io) - Boundary and edge-case support for this artifact page.
- [Guidance on AI and Data Protection](https://ico.org.uk/for-organisations/uk-GDPR-guidance-and-resources/artificial-intelligence/guidance-on-ai-and-data-protection/?ref=sorena.io) - Boundary and edge-case support for this artifact page.

## How should teams operationalize Lawful Bases with proportionate controls?

Use a UK GDPR workflow that captures role, purpose, lawful basis, special-category status, DPIA trigger, rights/breach/transfer trigger, evidence, owner, and review date.

The output should be a lawful-basis note, DPIA decision, privacy notice update, DSAR record, breach assessment, transfer pack, processor clause map, or ICO response record.

- Create a short intake question that identifies the Lawful Bases scenario.
- Map the answer to a required action, evidence field, owner, reviewer, and review date.
- Link related artifact pages with descriptive anchors so users can move from scope to deadlines, controls, penalties, and templates.
- Update the workflow when official source material changes or when internal evidence shows recurring exceptions.

Sources for this answer:

- [Article 30 Record of Processing Activities](https://ico.org.uk/media2/migrated/2172937/GDPR-documentation-controller-template.xlsx?ref=sorena.io) - Operational implementation support for Lawful Bases.
- [A Guide to the Data Protection Principles](https://ico.org.uk/for-organisations/uk-GDPR-guidance-and-resources/data-protection-principles/a-guide-to-the-data-protection-principles/?ref=sorena.io) - Operational implementation support for Lawful Bases.
- [UK ICO artificial intelligence guidance](https://ico.org.uk/for-organisations/uk-GDPR-guidance-and-resources/artificial-intelligence/?ref=sorena.io) - Operational implementation support for Lawful Bases.

*Recommended next step*

*Placement: after the practical guidance*

## Turn UK GDPR Lawful Bases into assigned work

This UK GDPR guide turns Lawful Bases into owners, evidence requests, review checkpoints, and reusable operating records for implementation execution.

- [Open Assessment Autopilot for UK GDPR](/solutions/assessment.md): Turn Lawful Bases into scoped questions, evidence fields, and review tasks.
- [Review UK GDPR source evidence](/solutions/research-copilot.md): Use Research Copilot to answer follow-up questions with cited source material.
- [Talk through implementation](/contact.md): Review scope, evidence, owners, and the next compliance actions with Sorena.

## Primary sources

- [Article 30 Record of Processing Activities](https://ico.org.uk/media2/migrated/2172937/GDPR-documentation-controller-template.xlsx?ref=sorena.io) - Supports Lawful Bases under the UK GDPR.
  - Quote: "This is an Article 30 Record of Processing Activities table"
- [A Guide to the Data Protection Principles](https://ico.org.uk/for-organisations/uk-GDPR-guidance-and-resources/data-protection-principles/a-guide-to-the-data-protection-principles/?ref=sorena.io) - Supports Lawful Bases under the UK GDPR.
  - Quote: "The principles lie at the heart of the UK GDPR"
- [UK ICO artificial intelligence guidance](https://ico.org.uk/for-organisations/uk-GDPR-guidance-and-resources/artificial-intelligence/?ref=sorena.io) - Supports Lawful Bases under the UK GDPR.
  - Quote: "Detailed guidance A detailed overview of how to apply the principles of the UK GDPR to the use"
- [Guidance on AI and Data Protection](https://ico.org.uk/for-organisations/uk-GDPR-guidance-and-resources/artificial-intelligence/guidance-on-ai-and-data-protection/?ref=sorena.io) - Supports Lawful Bases under the UK GDPR.
  - Quote: "How are solely automated decision-making and relevant safeguards linked to fairness, and key questions to ask when considering"
- [UK data adequacy assessment guidance](https://assets.publishing.service.gov.uk/media/6124cd628fa8f53dd0d60138/Manual_Guidance.pdf?ref=sorena.io) - UK government guidance for adequacy assessments and international data transfer context.
  - Quote: "guide to filling out the Manual Template"

## Related Topic Guides

- [UK GDPR 72-hour Breach Reporting Guide](/artifacts/uk/general-data-protection-regulation/72-hour-breach-reporting.md): UK GDPR guidance for 72-hour Breach Reporting, with practical decisions, evidence, edge cases, and external source citations.
- [UK GDPR Adequacy Guide](/artifacts/uk/general-data-protection-regulation/adequacy.md): UK GDPR guidance for Adequacy, with practical decisions, evidence, edge cases, and external source citations.
- [UK GDPR AI And Automated Decisions Guide](/artifacts/uk/general-data-protection-regulation/ai-and-automated-decisions.md): UK GDPR guidance for AI And Automated Decisions, with practical decisions, evidence, edge cases, and external source citations.
- [UK GDPR Applicability Test Guide](/artifacts/uk/general-data-protection-regulation/applicability-test.md): Practical guidance for the UK GDPR applicability test, with practical decisions, evidence, edge cases, and external source citations.
- [UK GDPR Article 30 Records Guide](/artifacts/uk/general-data-protection-regulation/article-30-records.md): UK GDPR guidance for Article 30 Records, with practical decisions, evidence, edge cases, and external source citations.
- [UK GDPR Breach Notification Guide](/artifacts/uk/general-data-protection-regulation/breach-notification.md): UK GDPR guidance for Breach Notification, with practical decisions, evidence, edge cases, and external source citations.
- [UK GDPR Breach Workflow Guide](/artifacts/uk/general-data-protection-regulation/breach-workflow.md): UK GDPR guidance for Breach Workflow, with practical decisions, evidence, edge cases, and external source citations.
- [UK GDPR Children And Age Appropriate Design Guide](/artifacts/uk/general-data-protection-regulation/children-and-age-appropriate-design.md): UK GDPR guidance for Children And Age Appropriate Design, with practical decisions, evidence, edge cases, and external source citations.
- [UK GDPR Children's Code Guide](/artifacts/uk/general-data-protection-regulation/children-s-code.md): UK GDPR guidance for Children's Code, with practical decisions, evidence, edge cases, and external source citations.
- [UK GDPR Compliance Checklist](/artifacts/uk/general-data-protection-regulation/checklist.md): Practical guidance for the UK GDPR checklist, with practical decisions, evidence, edge cases, and external source citations.
- [UK GDPR Compliance FAQ](/artifacts/uk/general-data-protection-regulation/faq.md): Practical guidance for the UK GDPR FAQ, with practical decisions, evidence, edge cases, and external source citations.
- [UK GDPR Compliance Guide](/artifacts/uk/general-data-protection-regulation/compliance.md): Practical guidance for the UK GDPR compliance, with practical decisions, evidence, edge cases, and external source citations.
- [UK GDPR Controller And Processor Status Guide](/artifacts/uk/general-data-protection-regulation/controller-and-processor-status.md): UK GDPR guidance for Controller And Processor Status, with practical decisions, evidence, edge cases, and external source citations.
- [UK GDPR Data Subject Rights Guide](/artifacts/uk/general-data-protection-regulation/data-subject-rights.md): UK GDPR guidance for Data Subject Rights, with practical decisions, evidence, edge cases, and external source citations.
- [UK GDPR Deadlines and Compliance Calendar Guide](/artifacts/uk/general-data-protection-regulation/deadlines-and-compliance-calendar.md): UK GDPR guidance for Deadlines and Compliance Calendar, with practical decisions, evidence, edge cases, and external source citations.
- [UK GDPR DPIA Workflow Guide](/artifacts/uk/general-data-protection-regulation/dpia-workflow.md): UK GDPR guidance for DPIA Workflow, with practical decisions, evidence, edge cases, and external source citations.
- [UK GDPR DPIAs And DPOs Guide](/artifacts/uk/general-data-protection-regulation/dpias-and-dpos.md): UK GDPR guidance for DPIAs And DPOs, with practical decisions, evidence, edge cases, and external source citations.
- [UK GDPR DSAR Workflow Guide](/artifacts/uk/general-data-protection-regulation/dsar-workflow.md): UK GDPR guidance for DSAR Workflow, with practical decisions, evidence, edge cases, and external source citations.
- [UK GDPR IDTA Addendum and Transfer Risk Assessment Guide](/artifacts/uk/general-data-protection-regulation/idta-addendum-and-transfer-risk-assessment.md): UK GDPR guidance for IDTA addendum and transfer risk assessment, with practical decisions, evidence, edge cases, and external source citations.
- [UK GDPR IDTA vs EU SCCs Guide](/artifacts/uk/general-data-protection-regulation/idta-vs-eu-sccs.md): UK GDPR guidance for IDTA vs EU SCCs, with practical decisions, evidence, edge cases, and external source citations.
- [UK GDPR PECR Cookies Guide](/artifacts/uk/general-data-protection-regulation/pecr-cookies.md): UK GDPR and PECR cookie guidance with practical consent, exemption, evidence, and source-linked implementation decisions.
- [UK GDPR penalties and fines Guide](/artifacts/uk/general-data-protection-regulation/penalties-and-fines.md): UK GDPR guidance for penalties and fines, with practical decisions, evidence, edge cases, and external source citations.
- [UK GDPR Requirements Guide](/artifacts/uk/general-data-protection-regulation/requirements.md): Practical guidance for the UK GDPR requirements, with practical decisions, evidence, edge cases, and external source citations.
- [UK GDPR Transfer Workflow Guide](/artifacts/uk/general-data-protection-regulation/transfer-workflow.md): UK GDPR guidance for Transfer Workflow, with practical decisions, evidence, edge cases, and external source citations.
- [UK GDPR Transfers, IDTA, and UK Addendum Guide](/artifacts/uk/general-data-protection-regulation/transfers-idta-and-uk-addendum.md): UK GDPR guidance for transfers, IDTA, and UK Addendum, with practical decisions, evidence, edge cases, and external source citations.
- [UK GDPR UK vs EU Differences Guide](/artifacts/uk/general-data-protection-regulation/uk-vs-eu-differences.md): UK GDPR guidance for UK vs EU Differences, with practical decisions, evidence, edge cases, and external source citations.
- [UK GDPR UK vs EU GDPR Differences Guide](/artifacts/uk/general-data-protection-regulation/uk-vs-eu-gdpr-differences.md): UK GDPR guidance for UK vs EU GDPR Differences, with practical decisions, evidence, edge cases, and external source citations.
- [UK GDPR vs Data Protection Act 2018 Guide](/artifacts/uk/general-data-protection-regulation/uk-gdpr-vs-data-protection-act-2018.md): UK GDPR guidance for UK GDPR vs Data Protection Act 2018, with practical decisions, evidence, edge cases, and external source citations.
- [UK GDPR vs EU GDPR Guide](/artifacts/uk/general-data-protection-regulation/uk-gdpr-vs-eu-gdpr.md): UK GDPR guidance for UK GDPR vs EU GDPR, with practical decisions, evidence, edge cases, and external source citations.
- [What should teams do about 72-hour Breach Reporting under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/72-hour-breach-reporting.md): UK GDPR guidance for 72-hour Breach Reporting, with practical decisions, evidence, edge cases, and external source citations.
- [What should teams do about Adequacy under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/adequacy.md): UK GDPR guidance for Adequacy, with practical decisions, evidence, edge cases, and external source citations.
- [What should teams do about AI And Automated Decisions under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/ai-and-automated-decisions.md): UK GDPR guidance for AI And Automated Decisions, with practical decisions, evidence, edge cases, and external source citations.
- [What should teams do about Article 30 Records under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/article-30-records.md): UK GDPR guidance for Article 30 Records, with practical decisions, evidence, edge cases, and external source citations.
- [What should teams do about Children's Code under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/children-s-code.md): UK GDPR guidance for Children's Code, with practical decisions, evidence, edge cases, and external source citations.
- [What should teams do about Controller And Processor Status under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/controller-and-processor-status.md): UK GDPR guidance for Controller And Processor Status, with practical decisions, evidence, edge cases, and external source citations.
- [What should teams do about DPIAs under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/dpias.md): UK GDPR guidance for DPIAs, with practical decisions, evidence, edge cases, and external source citations.
- [What should teams do about DPOs under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/dpos.md): UK GDPR guidance for DPOs, with practical decisions, evidence, edge cases, and external source citations.
- [What should teams do about IDTA addendum and transfer risk assessment under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/idta-addendum-and-transfer-risk-assessment.md): UK GDPR guidance for IDTA addendum and transfer risk assessment, with practical decisions, evidence, edge cases, and external source citations.
- [What should teams do about Lawful Bases under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/lawful-bases.md): UK GDPR guidance for Lawful Bases, with practical decisions, evidence, edge cases, and external source citations.
- [What should teams do about PECR Cookies under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/pecr-cookies.md): UK GDPR guidance for PECR Cookies, with practical decisions, evidence, edge cases, and external source citations.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/uk/general-data-protection-regulation/lawful-bases