GDPR Bitesize: Finding Your Lawful Basis for Data Processing

Posted on: 14th February 2018

legal basis

(All information gathered from the official ICO website)

If you’re going to be processing data then you need to have a lawful basis to do so.

This is not a completely new obligation, as the Data Protection Act 1998 required certain ‘conditions for processing’ to be met. However, with GDPR, there is much heavier emphasis placed on businesses being accountable for and transparent about their lawful basis for processing.

It’s important for businesses to understand that if no lawful basis applies to your data processing, then your processing will be unlawful and ultimately in breach of the first principle. Individuals also have the right to erase personal data which has been processed unlawfully.

So what counts as a lawful basis?

The six lawful bases for processing are similar to the old conditions for processing, although there are some differences. You now need to review your existing processing, identify the most appropriate lawful basis, and check that it applies. In many cases it is likely to be the same as your existing condition for processing.

The six lawful bases for processing personal data are as follows:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

You can choose a new lawful basis if you find that your old condition for processing is no longer appropriate under the GDPR, or decide that a different basis is more appropriate. This is however a one-off opportunity to bring your processing in line with the GDPR. Once the GDPR is in effect, you will not be able to swap between lawful bases at will if you find that your original basis was invalid. You will be in breach of the GDPR if you did not determine the appropriate lawful basis (or bases, if more than one applies) from the start.

The GDPR also brings in new accountability and transparency requirements. You should therefore make sure you clearly document your lawful basis so that you can demonstrate your compliance.

You must now inform people upfront about your lawful basis for processing their personal data.

You need therefore to communicate this information to individuals by 25 May 2018, and ensure that you include it in all future privacy notices.

How do we decide which lawful basis applies?

This depends on your specific purposes and the context of the processing. You should consider which lawful basis best fits the circumstances. You might consider that more than one basis applies, in which case you should identify and document all of them from the start.

Read more on this topic on the official ICO website. For more information, GDPR Consultancy and GDPR training in Nottingham, then click here to read about what we can offer your business.