GDPR has changed the way everyone is required to treat personal data, but the law is actually a lot more supple than many may realise. (The regulation is back in the spotlight following Google’s decision to move UK user data to the US, instead of processing it in Ireland, although the company claims no GDPR connection).
Under GDPR there are essentially six lawful bases for processing data.
This is the cleanest cut of the six: consent is used when an individual has given their clear affirmation to the processing of their data. For the individual what is being asked must be easily understood and separated from other legal terms and conditions documents.
However, in practice it is one of the more difficult to manage: businesses need to establish a clear process that asks and records someone’s consent.
Critically the individual’s consent has to be an unambiguous action that affirms their consent such as an opt-in tab or signed document. Pre-ticked opt-in boxes are not allowed.
Be warned that consent is not locked-in: once given, an individual has a specific right to withdraw their consent at any time and part of an organisation’s use of consent as a basis requires them to inform users about this right to withdraw.
This is when the processing of someone’s personal data is required in order to deliver a contractual service to them, or because they have asked for it to be done in a contract.
This is the basis that will be used when payment details have to be processed or a quote is required during pre-contract discussions.
Be warned that any data gathered during a contract process is not fair game for internal or third party processing outside of the contracted obligations. You can not reuse data for business purposes without obtaining additional consent.
3: Legal Obligation
Article 6(1) of GDPR states that processing is fine when it is “is necessary for compliance with a legal obligation to which the controller is subject.”
Any personal data that is required to be processed in order to comply with the law uses this basis. For instance all employers have to process their employee’s personal data in order to submit salary and tax details to HMRC. Or a court order may require you to process personal data in order to comply with its ruling.
4: Legitimate Interest
This particular lawful basis is the trickiest to define: essentially it’s the processing of an individual’s data in a manner that they would “reasonably expect”.
Applying legitimate interest as a basis can be done in a simple three step process; first identify the legitimate interest. Then you need to demonstrate that the processing is necessary to achieve this goal. Lastly you should check that the first two steps are not going to infringe on the individuals rights and freedoms.
No matter what legitimate interest is chosen it is up to the organisations to keep a record of the decision to use legitimate interest for the sake of GDPR accountability. So if you come up with a clever excuse write it down.
Interestingly under GDPR: “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”
This can be understood in many ways, but the clearest application of legitimate interest in a direct marketing use would be for the creation of personalised ads, which many people expect to happen. It is also used in direct marketing in the event that someone opts-out, in order to not process that persons data or send them marketing emails a record of contact details would need to be held and processed.
If in doubt follow GDPR Recital 47 guide which states that: “The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing.”
5: Public Task
Covered in Article 6 (e) the public interest is defined with the understanding that the: “Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.”
This basis is mainly used by official authorities as they carry out their legal duties. It covers public functions that are establish in law.
The public task basis is not solely used by public bodies as it can be used by any organisations that is fulfilling a public task. For instances a private water company collects a vast amount of users data in order to carry out its work.
6: Vital Interest
Possibly the clearest and hopefully least used of all the bases; vital interest should only be used to process a person’s data if it is in order to protect someone’s life.
If you can protect that person’s life in a way that doesn’t require the processing of data then then that is what you must do.
Vital interest is not an excuse to process someone’s health data.
GDPR Recital 46 clearly states that: “The processing of personal data should also be regarded to be lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person.”
“Some types of processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters.”