Legal grounds for processing personal data

The GDPR expands upon and alters some of the legal bases for processing personal data that are present under the DPA. The updated legal bases are that the processing operation:

In particular, the ‘legitimate interest’ basis (the last in the list above) will not be available to public authorities. The University is likely to be classified as a ‘hybrid’ authority, meaning that in some of its functions it will be treated as a public authority, whilst in others it will not, entailing that it can use the legitimate interests basis to justify the processing of personal data in some circumstances.

Also see the ICO’s webpage section on lawful processing, and Articles 6, 7, 8, 9 and 10 of the GDPR.


The GDPR strengthens the protections and requirements about using consent as the basis for data processing, so any processing currently carried out on this basis will need to be reviewed to ensure compliance.

Moving forward under the GDPR, consent will need to be:

Also see the ICO’s draft guidance on consent under the GDPR, and Articles 4(11), 6(1)(a), 7, 8 and 9(2)(a) of the GDPR.