GDPR: lawful basis for processing personal data

Under the Data Protection Act 1998, businesses have been used to the requirement to satisfy one of the “conditions for processing”.

Under GDPR, organisations are required to have a lawful basis to process personal data.

The main difference between the GDPR and the DPA is that GDPR places more emphasis on being accountable for and transparent about your lawful basis for processing.

 

Why is this important?

The first principle of the GDPR requires that personal data is processed lawfully, fairly and in a transparent manner.   Processing is only lawful if there is a lawful basis.

And to comply with the accountability principle it is necessary to demonstrate that a lawful basis applies.

And because individuals now have a right to be informed, it’s now a requirement that individuals are provided with information about your lawful basis for processing.

 

What are the lawful bases for processing?

Article 6 of the GDPR sets out the lawful bases for processing personal data.

It is worth remembering that processing is only lawful if at least one of these bases apply.

  • Consent.   The individual has given clear consent for you to process their personal data for a specific purpose.

  • Contract. The processing is necessary for the performance of a contract to which the individual is a party.

  • Legal obligation.   The processing is necessary for compliance with a legal obligation.

  • Vital interests. The processing is necessary in order to protect the vital interests of the individual or another person.

  • Public task.   The processing is necessary for the performance of a task carried out in the public interest.

  • Legitimate interests. The processing is necessary for your legitimate interests or the legitimate interests of a third party, except where such interests are overridden by the interests of the individual whose data you’re processing.

 

Accountability

The principle of accountability requires agents to demonstrate that they are complying with the GDPR, and have appropriate policies and processors. This means that agents will need to be able to show that they’ve properly considered which lawful basis applies to each processing purpose, and can justify that decision.

In addition, you will need to include information about your lawful basis in your privacy notice, including:

  • Your intended purpose for processing the personal data; and
  • the lawful basis for the processing.

 

Checklist

In guidance issued by the ICO (available here) they’ve helpfully set out a checklist for organisations when those organisations are considering their lawful basis for processing.

It may be useful to show you’ve considered the following factors:

  • We have reviewed the purposes of our processing activities, and selected the most appropriate lawful basis (or bases) for each activity.
  • We have checked that the processing is necessary for the relevant purpose, and are satisfied that there is no other reasonable way to achieve that purpose.
  • We have documented our decision on which lawful basis applies to help us demonstrate compliance.
  • We have included information about the purposes of the processing and the lawful basis for the processing in our privacy notice.