How to document the chosen lawful basis?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Choosing your lawful basis isn't enough. You need to write it down before you start processing, and that documentation needs to hold up if a regulator ever asks to see it.
For each type of processing you do (sending marketing emails, tracking engagement, storing profile data, passing data to your CRM), you should record: the processing activity, the lawful basis you're relying on, why you chose that basis, and the date you made that decision.
If you're using consent, you need consent records too: timestamp, source, the exact wording the person agreed to, and the version of your privacy notice in effect at the time. Most ESPs can export this data, but check that yours does before you need it.
If you're using legitimate interest, you need a Legitimate Interest Assessment (LIA). This is a documented three-step test: purpose (what's your legitimate interest), necessity (is processing necessary for that purpose), and balancing (do your interests outweigh the individual's rights). The LIA should be a real document, not a one-liner.
This documentation typically lives in your Records of Processing Activities (ROPA), which GDPR Article 30 requires for organizations above 250 employees and in many other situations. Even if you're below that threshold, maintaining a ROPA is good practice and shows due diligence.
A simple starting point: document your three main email types (marketing, transactional, automated), the lawful basis for each, and where the consent or LIA records are stored. That covers most of what a regulator will ask for first.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.