Legal Purpose, Consent, and Legitimate Interest is the governance framework through which organizations establish a lawful basis for processing personal data — a prerequisite under modern privacy law before any collection, use, or sharing of personal information may occur. Under GDPR Article 6, six lawful bases exist; consent and legitimate interest are the most commonly invoked and the most frequently misapplied. Consent is a freely given, specific, informed, and unambiguous indication of a data subject's agreement to processing — an affirmative act, never passive or bundled. Legitimate Interest (LI) applies when processing is necessary for a compelling organizational purpose that is not overridden by the data subject's fundamental rights; it requires a formal Legitimate Interest Assessment (LIA) documenting a three-part test: purpose, necessity, and balancing. The framework covers five activities: (1) selecting the correct lawful basis for each processing activity, (2) implementing and recording consent validly, (3) conducting and documenting LIAs, (4) maintaining accountability records in the RoPA, and (5) governing scope — ensuring data collected under one basis is not repurposed without fresh justification.
Where it stops · what it isn't
- —IS: A governance decision framework for determining and documenting the legal basis for each specific processing activity.
- —IS: Applicable to any organization subject to GDPR, UK GDPR, CCPA, or equivalent privacy regimes that process personal data of individuals.
- —IS NOT: A one-size-fits-all compliance checkbox — each processing activity and each jurisdiction requires independent legal basis evaluation.
- —IS NOT: A substitute for the other four GDPR lawful bases (contract, legal obligation, vital interests, public task) — consent and legitimate interest apply only where those more specific bases do not.
- —IS NOT: Synonymous with a Privacy Notice or cookie banner — those are transparency instruments that must accurately reflect the lawful basis but do not themselves constitute one.
- —IS NOT: Interchangeable — once a lawful basis is selected and communicated to data subjects, the organization cannot silently switch to a different basis if the original becomes inconvenient.
- —IS NOT: Sufficient alone for special category data (GDPR Article 9) — which requires a separate, explicit basis from the Article 9(2) list (e.g., explicit consent or substantial public interest) layered on top of the Article 6 basis.
- —Does NOT govern anonymous data or data with no identifiable link to a natural person — privacy law lawful basis requirements do not apply to fully anonymized datasets.
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.
PART OFPrivacy Governance — Legal Compliance Framework (GDPR Articles 5–6)
REQUIRESRecords of Processing Activities (RoPA / GDPR Article 30)Privacy Notice / Transparency Obligations (GDPR Articles 13–14)Accountability and Documentation (GDPR Articles 5(2), 24)
ENABLESData Subject Rights Management (erasure, portability, objection)Third-Party Data Sharing and Joint Controller Arrangements (GDPR Article 26)
CONSTRAINSSecondary Use and Purpose Creep Prevention
RELATED TOData Protection Impact Assessments (DPIAs)Special Category Data Handling (GDPR Article 9)