Introducing the lawful bases
Processing the personal data of customers and staff is often essential to running a business, so this usually can’t be altogether avoided. That’s why it’s your organisation’s responsibility to ensure that the way it’s processing this data is fair, legal, and transparent. But one major thing to consider first is whether there’s a lawful justification for processing the data in the first place: does your processing fall under any of the lawful bases?
The UK GDPR lays out seven key principles (which we covered in a previous article), setting the foundation upon which the way personal data is processed should be built. The first one states that any data processed must be done so “lawfully, fairly and in a transparent manner”. By processing personal data without a lawful basis, you’re in breach of this very first principle.
To understand if you’re adhering to these key principles, it’s paramount that you’re aware of the six lawful bases determining whether your processing of data is legal or not.
What are these bases?
These six lawful bases are plainly laid out in Article 6 of the UK GDPR. These bases are to be carefully considered, as at least one has to apply to the personal data that your organisation processes. The lawful basis (or bases) that apply to you must be stated in your privacy notice.
The lawful bases are:
- Legal obligation
- Vital interests
- Public task
- Legitimate interests
To definitively determine whether any lawful basis applies to your processing, you need to understand what each of them means. So let’s go into more detail.
If the data subject has given consent for his or her personal data to be processed, then it’s legal to do so. So long as the subject has been given a genuine choice and has agreed to the processing of their data, this lawful basis will apply.
With that said, this consent should be easy for the subject to withdraw, because everyone has the right to have full control and flexibility over how their personal information is used. It’s therefore fair, and should be easy, for a data subject to reverse this permission at any time. Evidence of any consent received should be kept – who it’s from, when it was given, how it was received, and what they consented to.
Consent is only legitimate if:
- It is informed; it must be clear to the subject what they’re consenting to.
- The consent given is explicit, confirmed in words – this must be a clear and specific statement.
- Consent is obtained for each thing, separate from other terms and conditions, as opposed to vague or “blanket” consent.
- It explicitly covers the name of the controller, the types of processing activity, and the purposes of processing the data.
- It is easy to understand, to the point, and user-friendly.
- It is given through a “positive opt-in”, e.g., not unticking a ticked box.
- It is as easy to withdraw as it was to give.
If processing somebody’s personal data is necessary in order to meet your obligations as part of a contract with the subject, this is also considered a legitimate purpose. This also applies if you’re entering into a contract with them and they’ve asked you to carry out steps that involve the processing of their data. This doesn’t necessarily need to be a formal legal document, as even an oral statement applies.
However, if there are other ways to meet your contractual obligations that don’t involve processing the subject’s data, then this lawful basis does not apply, and you’ll instead need to find a different justification. Failing that, you legally cannot proceed.
Similarly, if the processing of this personal data is the only way for you to meet a legal obligation, you may do so. You’ll need to provide evidence in the form of either a document that sets out what legal obligation you have, or by identifying what specifically you’re complying with.
An example of how this can be applied is if an employer is disclosing employee salary details to HMRC. The processing of this personal data is therefore necessary to carry out a legal obligation.
If the processing of someone’s personal data will protect a person’s life (not necessarily the data subject), then you may legally process it. This basis mostly applies to emergency medical treatment.
The UK GDPR states that this lawful basis should only apply if no other bases can be applied to the situation. For example, if consent can be sought, this basis cannot be relied upon.
If the processing is necessary to perform tasks in the public’s best interest, or to exercise authority, then it is permitted. So long as these purposes are laid down by law, this is an acceptable reason.
This lawful basis is most relevant to public authorities, but as long as your organisation exercises public authority or carries out tasks in the public interest, then this lawful basis can apply to your data processing. While a specific statutory power is not necessary, your underlying task must have a basis in law.
However, it’s specified that for this lawful basis to apply, it must be absolutely necessary to process the data to complete the aforementioned tasks. This must be demonstrable. If there are other, less intrusive ways to achieve these results, this basis doesn’t apply.
Finally, the most flexible basis is legitimate interests. This basis applies if the processing of the subject’s personal data is the only way to achieve a result in the interest of either you, or a third party. But while this basis seems to give the most freedom, it’s one that comes with a lot of responsibility. If you rely on this basis to use somebody’s personal information, you must ensure that the interests in question are acceptable.
This basis is most likely to apply if the reason for processing is one that the subject would reasonably expect. It’s also best if there’s only a minor impact on their privacy.
To determine whether you have a legitimate interest, you can perform a legitimate interest assessment, which you should then keep a record of. Then, if you need to demonstrate your compliance, you can do so.
Which lawful basis applies to me?
To decide under which lawful basis your data processing lies, you must consider why it’s being carried out. What’s the desired outcome? How is the data being used? Consider your purposes and from there, determine which of these bases, if any, fit those purposes. If you find that more than one basis applies, these must all be documented from the beginning.
Odds are, if your lawful basis isn’t made immediately clear by the circumstances, then you may be relying on legitimate interests or consent.
The ICO’s website has a handy interactive guidance tool which can help you determine your lawful basis if you’re struggling. It must be stressed, though, that if you still cannot identify one, you cannot proceed with the processing of the data.
The importance of the lawful bases
It’s extremely important to identify a valid lawful basis before any processing commences, and to document this from the start. By processing personal data without the application of a lawful basis, you’d be in breach of the UK GDPR, and your organisation can be fined.
It’s thus crucial that you consider carefully the data your organisation is processing, the reasons for doing so, and whether these reasons are legal and fair. You don’t want to face unwanted consequences for a simple error or oversight.
We understand that this can all be confusing and scary, especially considering the potential consequences of a mistake in this area. We at DPAS provide a range of services to help take some of the burden off your shoulders. By booking a consultation with us, you’ll receive expert advice from professionals who have years of experience in the industry.
Check out our services here.