Lawful Basis Assessment
Definition
A Lawful Basis Assessment is a documented evaluation, under the EU General Data Protection Regulation (GDPR), that identifies and justifies the legal ground for processing personal data and demonstrates accountability for that choice. It typically maps the processing purpose to one of the lawful bases in Article 6(1) (consent, contract, legal obligation, vital interests, public task, or legitimate interests), records why the selected basis fits, and captures any conditions that follow from it (for example, how consent will be obtained and withdrawn under Article 7, or how a legitimate interests assessment will address necessity and balancing). A robust assessment also checks whether additional rules apply, such as Article 9 for special category data or Article 10 for criminal offence data, and aligns required transparency information with Articles 13 and 14. The output is often a decision record that can be linked to Records of Processing Activities (Article 30), risk assessments, and DPIAs where required (Article 35). Comparable concepts exist in other privacy regimes as ‘legal grounds’, ‘permitted purposes’, or ‘authorized bases’ for processing, but the assessment should be tailored to GDPR requirements and the organization’s specific processing context.
Real-World Examples
SaaS onboarding under contract necessity
A startup documents Article 6(1)(b) as the lawful basis to create accounts and deliver core service features, and limits processing to what is necessary for the contract.
Security logging under legitimate interests
An enterprise records Article 6(1)(f) for security monitoring and completes a legitimate interests assessment covering purpose, necessity, and balancing, plus retention controls.
HR payroll processing under legal obligation
A mid-sized company documents Article 6(1)(c) for payroll and statutory reporting, linking the decision record to internal compliance evidence and access restrictions.
Biometric access checks with special category data
A global organization verifies whether biometric processing triggers Article 9 conditions and records the applicable condition alongside Article 6, plus added safeguards and transparency.
A lawful basis assessment is a written record that explains which GDPR legal basis (Article 6) you rely on for a specific processing activity and why that basis fits the purpose, scope, and context.
Start with the processing purpose, map it to the GDPR bases in Article 6(1), and select the option that is necessary and appropriate; then document the reasoning, constraints, and any follow-on obligations.
You typically need an LIA when relying on GDPR Article 6(1)(f) legitimate interests, to show the processing is necessary and that your interests are not overridden by the individual’s rights and expectations.
Common fields include processing description, purpose, chosen GDPR basis and rationale, data categories, recipients, retention, security controls, transparency notes (Articles 13/14), and links to Article 30 records and risk assessments.
Maintain a decision record per processing activity, keep it versioned and accessible to relevant teams, and connect it to your Article 30 RoPA entry, policies, and evidence showing the basis is applied in practice.
It is an LIA structure: define the legitimate purpose, confirm the processing is necessary to achieve it, and balance your interests against the person’s rights, considering safeguards, expectations, and potential impacts.
Changing basis is risky and must be justified; under GDPR you should choose the correct basis up front, and if circumstances change you may need to update notices, records, and potentially stop or redesign processing.
A lawful basis assessment explains the legal ground for processing, while a DPIA (GDPR Article 35) evaluates high-risk impacts and mitigations; they should be consistent and often reference each other.
Consent (Article 6(1)(a), Article 7) must be freely given and easy to withdraw, which can disrupt operations; legitimate interests (Article 6(1)(f)) requires a defensible balancing analysis and strong safeguards.
Keep them for as long as the processing continues and long enough afterward to demonstrate GDPR accountability and handle disputes, aligned to your retention schedule and legal/regulatory requirements.
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-26 | WatchDog Security GRC Wiki Team | Initial publication |
