Consent is not always the answer
Many teams overuse consent because it feels simple. A durable lawful-basis map separates consent from contract, legal obligation, vital interest, public interest, and legitimate interest.
Lawful bases under the NDPA
Choose and document the legal basis for each processing purpose before consent, policy, retention, and DSR workflows drift apart.
Plain English
What the chapter means in practice.
Operational takeaway
Every purpose in the RoPA should have a lawful basis, evidence, review date, and notice language linked to it.
Checklist
What to document.
- List purposes before selecting lawful bases.
- Avoid consent where withdrawal would make the service impossible.
- Attach review notes for legitimate interest and sensitive processing.
Related workflows