GDPR – Lawful Basis for processing

The requirement to have a lawful basis in order to process personal data is nothing new. The new implementation of GDPR mirrors the 1998 Data Protection Act and builds upon it with an increased focus on accountability and transparency around data processing.

The 6 new lawful basis’s for processing are broadly similar to the DPA conditions but there are some changes, meaning you will need to review your current processing and understand which is the most appropriate for your business. In many cases the existing condition you use will remain the same with GDPR.

What are the lawful bases for processing?

The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party. Unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (Not applicable if you are a public authority processing data to perform your official tasks.)


It is vital to understand which lawful basis applies most directly to your business. Although it is possible to change basis, doing so because your current condition is wrong means you will breach GDPR. Changes to your condition may only be made when the reason for your processing changes and no longer complies with your basis for processing.


You may need to consider a variety of factors in order to determine your basis, including:

  • What is your purpose – what are you trying to achieve?
  • Can you reasonably achieve it in a different way?
  • Do you have a choice over whether or not to process the data?
  • Are you a public authority?


Call Recording Solutions

Once you have found the most suitable lawful basis for your business it is then vital to ensure that any data you process is dealt with securely and in compliance to GDPR. Call recording is a common solution used by businesses, enabling data to be processed securely, kept and disposed of safely in a timely manner. Call recording can also be useful for dealing with issues where a ‘paper trail’ is required to find a solution to issues or complaints. As well as ensuring compliance and provide additional security within the company.

If payment information is taken over the phone extra precautions such as encryption and ad hoc or recording may be necessary for customer security.

MDM is a further tool businesses may use to ensure compliance even when out of the office. This can prevent data leaks both maliciously and accidentally. Data encryption and copy/paste restrictions can help secure the gaps left in your compliance strategy by mobile workers.


For more information on Call recording and MDM software to help your business remain GDPR compliant please get in touch at . Alternatively you can fill in the contact form at the bottom of this page or call 01623687750