To use personal data lawfully you need a reason the law recognises, called a lawful basis. There are six, and picking the right one matters: it shapes what people can ask of you and what you are allowed to do.
The six bases
- Consent. The person has clearly agreed. They can withdraw it, and if they do, you must stop. Best for genuinely optional things like marketing emails.
- Contract. You need the data to deliver something they asked for, like shipping an order or running their subscription.
- Legal obligation. A law makes you do it, such as keeping payroll and tax records.
- Vital interests. To protect someone’s life. Rare outside emergencies and healthcare.
- Public task. For official functions in the public interest. Mostly relevant to public bodies.
- Legitimate interests. A genuine business need that does not override people’s rights. Flexible, but you have to do a short balancing test to rely on it.
The new one: recognised legitimate interests
The Data (Use and Access) Act 2025 added recognised legitimate interests as a further basis, for a narrow, defined set of purposes such as preventing crime, safeguarding, and responding to emergencies. For those, you can rely on legitimate interests without the balancing test. It is deliberately narrow, so most everyday commercial uses still need the ordinary test. There is more in our guide to the Act.
How to choose
Go activity by activity and ask what the processing is really for. Consent is not a catch-all: if you cannot honour a withdrawal, it is the wrong basis. If a law compels you, that is legal obligation, not consent. If it is core to a service someone asked for, that is contract. Write down the basis for each activity, because you may have to justify it.
One more thing: sensitive information (health, ethnicity, beliefs, and so on) needs a lawful basis and an extra condition under Article 9. See special category data in the jargon-buster.