When processing data, everything hangs on consent under GDPR, doesn't it? You can't process any personal data without it. In fact things are a little more complex.
Not true. While the rules on consent are certainly much tougher under GDPR, the Information Commissioner's Office (ICO) has made clear that consent is only needed if you're relying on it as the legal basis to process personal data.
Put simply, having consent is one way of making sure you are compliant with GDPR but there are other options which may be more appropriate for your organisation. Let's run through them…
Key conditions to ensure data processing is legal
1. Performance of a contract
Processing is necessary for the performance of a contract - for example, collecting a customer's name and address in order to process their order.
2. Legal or judicial reasons
Processing is necessary for legal or judicial reasons - for example, for administering justice or law enforcement, such as using their bank details to process a refund.
3. Protecting the data subject's vital interests
Processing is necessary to protect the data subject’s vital interests - as in a life or death situation where someone's medical history is made available to treat them in an A&E department after a road accident.
4. Performing a task in the public interest
Processing is necessary to perform a task carried out in the public interest - for example, exercising statutory, governmental or public functions (e.g. collecting taxes).
5. Legitimate interest
Processing is necessary for legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject - for example, where a finance company uses a debt collection agency to track down a customer who has moved without telling them of a change of address. There is a legitimate interest to recover the debt.
Where to get advice on data processing legality
If you have doubts as to the legal justification for processing data, then it best to ask your data protection officer (DPO). It could be a stand-alone or role or someone with expertise in this area. If you don't have one, you should - see Article 37(1) of the GDPR.
Want to learn more about GDPR?
If you'd like to stay up to date with GDPR best practices, industry insights and key trends across regulatory compliance, digital learning, EdTech and RegTech news, subscribe to the Skillcast Compliance Bulletin.
To help you navigate the compliance landscape we have collated searchable glossaries of key terms and definitions across complex topics including GDPR, Equality, Financial Crime and SMCR. We also regularly report key learnings from recent GDPR fines. And if you're looking for a compliance training solution, why not visit our GDPR Course Library?.
You can follow our ongoing YouGov research into compliance issues, attitudes and risk perceptions in the UK workplace through our Compliance Insights blogs.
Last but not least, we have 60+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, handouts, posters, training presentations and even e-learning modules!
If you've any questions or concerns about compliance or e-learning, please get in touch.
We are happy to help!