When it comes to GDPR, if your company wants to process data about a client, prospect, employee or supplier, it must follow the 6-lawful basis for doing so. The blog aims to provide details on each of these.
You may already be aware of the first: consent. GDPR has set a new high standard and coined a specific definition for consent, which many companies have already raised concerns about. It's important to be aware there are 5 other lawful basis, too. Your reason for processing personal data doesn't have to rely on consent. We'll look at some of the other reasons before discussing consent in detail to ensure you're aware of where different types of data processing could fall in to.
This basis covers processing data, which is necessary to fulfil a contract you have with a client. It also covers you if you're being asked to do something before entering into a contract i.e. providing a quote, which involves processing their personal data.
Using WhitesPay as an example, a client who chooses to open accounts with us; we take some of their personal information, which they've given to us as part of the process. When they agree to the terms and conditions and request to trade, we will process their personal data in order to complete this trade, which is part of our contract. Therefore, we do not require their consent every single time we process their personal data as we process it to fulfil a contract.
This covers companies that legally need to process data given to them for specific legislations such as anti-money laundering and counter terrorist financing checks - as well as anti-fraud defences. In order to comply with your legal obligations, set out by EU and UK parliament, you may be required to process the personal data under this lawful basis.
This may not apply to many of us, however, this basis means an entity is able to process the personal data if it's essential for the life of the data subject. The scope of this is very limited, and as the ICO themselves have stated, it is generally only applied in matters of life and death.
This can be applied mostly to public authorities, however, it can apply to an organisation that carries out tasks in the public interest.
Legitimate interest is perhaps one of the most flexible basis for processing but doesn't always deem the most appropriate. It means processing data that is necessary for the purpose of the legitimate interests pursued by the controller or by a third party, unless the interests are overridden by the fundamental rights and freedoms of the data subject. Note that there are special requirements for data subjects who are children.
In order to establish whether you have legitimate interest for processing data, the ICO recommends you break it down into a three-part test:
- Purpose test: Are you pursuing a legitimate interest?
- Necessity test: Is the processing necessary for that purpose?
- Balancing test: Do the individual's interests override the legitimate interest?
The final lawful basis for processing data is the data subject has given their consent. The GDPR makes sure that gaining consent must be freely given by the data subject and that it's unambiguous. The GDPR has set a high standard for consent, which in turn means you will have to re-evaluate how you currently gain consent, how it's stored and check that your previous consent is in-line with this standard. This could mean potentially gaining re-consent from your clients especially in terms of direct marketing.
Make sure, if you're using consent as the lawful basis for processing data you need to have a clear document of how the consent was given, where it's stored and when it was given.
Now, it's important to be aware that consent is just 1 of the 6-lawful basis's for processing data so it doesn't have to be your main lawful basis and you can use multiple. It's a good idea to sit down and have a think about why you need the data that you do and where it would fall within the lawful basis.