There are six lawful bases in GDPR. In practice, most teams focus on a few common ones: consent, contract, legal obligation, legitimate interests, vital interests, and public task. The trick is to choose the one that fits your product and then communicate it consistently.

Consent is the most visible basis, but it is not always the best. If a user needs a service and data processing is required to deliver it, a contract basis is often more appropriate. If your processing is required by law, legal obligation is clearer than asking for consent.

Legitimate interests can be useful, but it requires balancing your needs against the user’s rights and expectations. That balancing test should be documented and reflected in your product messaging. The goal is to reduce surprises for the people whose data you use.

• Pick a lawful basis per data purpose, not per dataset.
• Explain it in plain language at the moment of collection.
• Keep it consistent with your privacy policy and product behavior.