There are six legal bases for processing as set out in Article 6 of the General Data Protection Regulation (GDPR). At least one of these must apply whenever you process personal data.
While the Information Commissioner's Office (ICO) has made it clear you must have a valid lawful basis to process personal data, many organisations assume it's dependent on obtaining consent. Consent is just one of a number of sex legitimate reasons for processing personal data. Which basis you deem to be the most appropriate will depend on your purpose and relationship with the individual.
The data subject has provided clear consent to the processing activity. GDPR states it must be freely-given, specific, informed and unambiguous – provided by a statement or a clear, affirmative action. Data subjects must be able to refuse or withdraw consent without penalty.
GDPR Recital 40 says "the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract" is a legitimate basis of lawful processing.
Personal data processing is necessary for legal reasons, for example, tax reporting or employee record maintenance.
Recital 45 states that "Where processing is carried out in accordance with a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, the processing should have a basis in Union or Member State law".
This only applies if it's necessary to process personal data to protect someone's life, and is. Clarified in Recital 46 of the GDPR: "Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis". For example, this applies if someone's medical history is made available to treat them in A&E after a life-threatening road accident.
As per Article 6, data can be processed "for the performance of a task carried out in the public interest or in the exercise of official authority".
You don't need a specific statutory power to process personal data, but you must have a clear and documented basis in law.
Data subjects' rights to erasure and data portability do not apply if you are processing on this basis. However, they do have a right to object.
Legitimate interest is the most flexible of the six lawful bases for data processing. It can potentially be applied to any type of processing carried out for any reasonable purpose.
Article 6(1f) states that processing is lawful if 'processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject'.
This leaves a lot of room for interpretation and the definition is unhelpfully vague. The burden is on you to determine if your interests in processing personal data really are legitimate.
These interests must be balanced against those of the data subject(s). The GDPR mentions processing client or employee data, marketing, fraud prevention, intra-group transfers or IT security as potential legitimate interests, but this list is not exhaustive.
The important thing to consider is that ‘legitimate interests’ is most likely to be appropriate if you are using personal data in ways that the data subject would deem reasonable and where the processing has a minimal impact on their privacy.
Remember that if you use legitimate interest as your basis for processing personal information as part of your marketing activities, the data subjects’ right to object is absolute: you must stop processing if anyone objects.
If you have doubts regarding the legal justification for processing data, it is best to ask your data protection officer (DPO).This could be a stand-alone role or someone with expertise in this area. If you don't have one, refer to Article 37(1) of the GDPR.
It goes without saying that all staff need GDPR awareness training, and those handling a lot of information (particularly sensitive data) will need a more in-depth understanding.
To reassure those who are providing you with data, create privacy notice and data processing statement web pages. Additionally make website cookie requests simple and clear.
It’s a requirement to process personal data lawfully, ensuring compliance with related principles and laws and that people’s rights are respected.
The identified or identifiable living individual (“natural person”) whose personal data is collected/processed/stored. An example of a data subject is a customer or an employee.
Any person/company/body/public authority that determines the why and how of processing personal data. Examples include an employer and a hospital.
Our Essentials Library contains e-learning content designed to help organisations meet fundamental compliance requirements. If you are looking for focused training, our Data Protection and GDPR Training Package offers a complete solution for your compliance programme. Courses in the libraries include:
We've created a comprehensive GDPR compliance roadmap to help you navigate the compliance landscape. If you would like to access leading insights and compliance tips, you can browse our free resources by topic to find guides, modules, compliance bites and more.
Explore our collection