When it comes to GDPR, even a short title such as the one above can provoke a range of questions…

What is the definition of processing?

What are the lawful ways of processing?

How can I make sure I’m complying with them?

What data does this even apply to..?

Relax and take a breath, if you’re concerned, then that shows you care and on your journey towards compliance and GDPR best practice, you certainly aren’t alone. I deliver help and support to businesses of every shape, size and flavour weekly, to help them process their data lawfully.

Breaking it down

There has to be a lawful basis for processing personal data, the good news is there are just six to choose from and we will look at each a little more closely to help you understand the basis on which you process yours.

But first:  What on earth constitutes processing?

From a GDPR point of view, processing refers to any single operation (or set of operations) that are performed on personal data.

If you do any of the following, then you are processing data:

  • Collecting or recording it
  • Organising or structuring it
  • Adapting or altering it
  • Storing or retrieving it
  • Restricting, erasing or destroying it

As a rule of thumb, if you are unsure, assume that you are processing personal data, because 99.9 times out of a hundred, you always are.

And if you are, then you need a lawful reason to do so, this is one of the most important principles which underpin data protection.

The six lawful bases for processing data

While no single one of the lawful bases for processing data is better or worse than the other five, the one that applies to you or your business will be informed by your purpose and the relationship you have with the person or people with who data you process. It is important to identify which applies to you.

It has to be determined and documented before you process anything, The Information Commissioner’s Office has this handy online tool to help with that.

The six lawful bases are as follows:

Legitimate interest:

If the processing of data is necessary for the legitimate interests of you or a third party then this basis will apply.  Remember though, if there is a good reason to protect an individual’s data then that may override those legitimate interests.

Public Interest:

This basis applies if the data processing is vital for a task that is clearly in the public interest or part of an official function with a clear and present basis in law.

Vital Interest:

The basis that really means what it says, vital interest revolves around processing data that is necessary in order to protect someone’s life.

Legal Obligation:

Some forms of data processing are necessary for you or your business to comply with the law; if that is the case then your basis is one of legal obligation.


If data processing is necessary due to a contract that exists between you and an individual, or they have asked you to undertake specific steps prior to entering into a contract, this is a lawful basis for processing their data.


If you have clear consent from an individual, to process their data for a specific purpose, then consent is your lawful basis for doing so.

Sometimes, your own lawful basis for processing data may be obvious, but sometimes not and this is important to get right the first time and ensure it is demonstrable. You may have more than one purpose for example or your circumstances and reasons for processing data may change over time.

Those are the occasions when the services of a GDPR specialist can really make a difference, if you need help and advice around this, or any other aspect of GDPR compliance then get in touch.