ICO Guidance on Lawful Basis for Personal Data Processing

Detected February 6th, 2026

Summary

The UK's Information Commissioner's Office (ICO) has updated its guidance on the lawful basis for processing personal data. This guidance is under review due to upcoming legislation, the Data (Use and Access) Act 2025, and may be subject to change.

View original document View source feed page

What changed

The Information Commissioner's Office (ICO) has published updated guidance concerning the lawful basis for processing personal data under UK GDPR. The guidance covers the six lawful bases, special category data, criminal offence data, and biometric data. It also includes sector-specific advice, such as an opinion on the DVLA's processing of vehicle keeper data. The ICO notes that this guidance is currently under review and may be updated following the commencement of the Data (Use and Access) Act 2025 on 19 June 2025.

Organizations processing personal data should review the updated guidance to ensure their practices align with the six lawful bases. While this guidance is non-binding, adherence is crucial for demonstrating compliance with data protection regulations. Businesses are advised to consult the relevant sections, particularly those dealing with consent, legitimate interests, and special category data, to ensure they have a valid lawful basis for their processing activities. Small businesses are directed to specific resources tailored for them.

Source document (simplified)

Lawful basis

Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen. The guidance on this page is suitable for large businesses in the public, private and third sectors. Small businesses should use the resources in our section containing advice for small organisations.

Brief guidance

A guide to lawful basis for using information

Guidance on the six reasons you can use for using personal information (known as lawful basis), how you can decide the right one for you, and the extra rules for more sensitive types of information (including special category and criminal offence data).

Detailed guidance

Consent

When you can (and can't) use consent, why it's important, and how to obtain, record and manage consent.

Legitimate interest

When you can use legitimate interests and how to apply it.

Special category data

What is special category data, what are the rules about using it and what are the extra conditions you need to meet.

Criminal offence data

What is criminal offence data, what are the rules for using it and what are extra conditions you need to meet.

Biometric data guidance: Biometric recognition

What is biometric data, what is meant by "biometric recognition", demonstrating compliance with data protection obligations and processing biometric data fairly and lawfully.

In your sector

The lawful basis for the processing of vehicle keeper data by the Driver and Vehicle Licensing Agency (DVLA)

Commissioner’s Opinion primarily for the DVLA and the Department of Transport. It sets out the correct lawful basis for the DVLA to process vehicle keeper data when sharing it with car park management companies to recover unpaid parking charges.