One of the foundational requirements of UK GDPR is that businesses must have a lawful reason — a lawful basis — for processing personal data. Simply wanting to use someone's data, or assuming that having received it means you can use it as you wish, is not sufficient. Understanding what the lawful bases are and which applies to a particular type of processing is a prerequisite for compliant data handling.
UK GDPR sets out six lawful bases: consent, contract, legal obligation, vital interests, public task, and legitimate interests. For most small businesses, the most relevant are consent — where the individual has actively agreed to a specific use of their data — contract, where processing is necessary to fulfil an agreement, and legitimate interests, where the business has a genuine reason not overridden by the individual's rights. The basis used must be documented and communicated in the privacy policy.
Relying on the wrong lawful basis or failing to document it is one of the most common data protection gaps in small businesses. Consent in particular is often misapplied: it must be freely given, specific, informed, and unambiguous, and cannot be bundled into terms and conditions. Our guide to lawful bases under UK GDPR explains each basis and helps founders identify which applies to their data processing activities.