Compliance & Regulations:
What Is Lawful Basis For Processing Data?
“Lawful basis” is the legal ground that permits processing personal data under frameworks like the General Data Protection Regulation (GDPR) and the UK GDPR. RMOS™ (Revenue Marketing Operating System) helps teams select the right basis, apply controls, and keep audit-ready evidence across systems.
Lawful basis is the specific legal justification you rely on to process personal data. The six bases in GDPR/UK GDPR are: Consent, Contract, Legal Obligation, Vital Interests, Public Task, and Legitimate Interests. Choose one per processing purpose, document why it applies, and configure systems to enforce it (consent receipts, suppression rules, retention, and access controls).
Principles For Selecting A Lawful Basis
The Lawful Basis Playbook
A practical sequence to choose, apply, and prove your basis for each processing purpose.
Step-By-Step
- Define The Purpose — Describe the business outcome and data categories involved.
- Map Jurisdictions — Identify where data subjects reside and which laws apply (EU/UK, state, sectoral).
- Select The Basis — Evaluate all six; pick the most appropriate basis for that single purpose.
- Configure Controls — Consent capture and proof, contractual terms, RBAC/SSO, data minimization, and retention timers.
- Record The Rationale — Document assessments (e.g., Legitimate Interests Balancing Test) and owner approvals.
- Test Rights Handling — Validate DSAR flows, opt-outs, and objection handling against the chosen basis.
- Review Periodically — Reassess basis when purpose, data, or law changes; update evidence and notices.
Lawful Bases Compared
| Basis | When Appropriate | Key Requirements | Risks | Evidence To Keep | Typical Examples |
|---|---|---|---|---|---|
| Consent | Voluntary, specific, informed choice | Granular options, easy withdrawal, no coercion | Low quality consent, dark patterns, poor tracking | Consent receipts, preference logs, UI versions | Email promotions, cookies beyond strictly necessary |
| Contract | Processing necessary to perform a contract | Clear terms; necessary for service delivery | Over-claiming “necessary”; scope creep | Contracts, order forms, fulfillment records | Account provisioning, billing |
| Legal Obligation | Required by law/regulation | Cite the statute; limit to legal need | Processing beyond legal scope | Policy references, regulator guidance, logs | Tax records, compliance reports |
| Vital Interests | Protect life or physical safety | Narrow emergency use; document context | Misuse for non-emergencies | Incident notes, timestamps, approvals | Emergency notifications |
| Public Task | Public interest / official authority | Legal mandate or public function | Unclear mandate; private orgs misapply | Mandates, policies, DPIAs | Public health messaging |
| Legitimate Interests | Balanced business interest with safeguards | Balancing test, transparency, opt-out where needed | Overreliance; weak balancing; surprises | LIA (balancing test), notices, risk mitigations | Security logs, basic analytics, B2B outreach (context-specific) |
Client Snapshot: Clear Basis, Fewer Risks
A global B2B team mapped each processing purpose to a single lawful basis and automated evidence capture in RMOS™. Consent quality rose 24%, objections dropped 18%, and DSAR resolution time improved to 7 business days without added headcount.
Connect purpose, basis, and proof using Revenue Operations and Marketing Operations so every workflow stays audit-ready.
FAQ: Lawful Basis & Data Rights
Fast answers for privacy, legal, security, and revenue teams.
Choose The Right Lawful Basis
Operationalize purpose, proof, and controls—without slowing growth.
Take the Self-Test Optimize Marketing Ops