According to the General Data Protection Regulations (GDPR), there is six lawful basis for us to hold and process data.
GDPR is about altering perceptions & the culture around why we have data. We should only hold data we need, not just keep data for the sake of it.
Here is a summary of the six lawful basis’s under GDPR and the links to the Information Commissioner’s Office (IOC) framework for compliance to help answer any additional questions.
- This is simply, do you have permission? GDPR however, really tightens up the rules around consent.
- Pre-ticked boxes or confusing statements will no longer be classed as consent. You need to tell people precisely what they are signing up for and always offer them a simple method of opting out should they so wish.
- For more details visit https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/consent/
- Not as much has changed here. You still have a contractual basis to hold and use data if you need it to fulfil a contractual obligation or to enter into a contract, e.g. providing a quote.
- You do not need the agreement written down, but the information you use must be necessary, e.g. you need an address to deliver a product, but you don’t need the individual’s preference or interests. If you want the latter for targeted advertising, you would need to gain consent for this. The bank details of your employees are also necessary for you to provide the contractual agreement for payment.
- For more details visit https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/contract/
3. Legal obligation
- This is data you hold required to fulfil a legal obligation. For example, keeping personal data for your employees is a requirement of the HMRC.
- For more details visit https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legal-obligation/
4. Vital Interests
- This is really to do with life and death situations. Next of kin details, for example, are necessary under vital interests.
- For more details visit https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/vital-interests/
5. Public Task
- This is most relevant to public authorities, but it can apply to smaller businesses particularly regarding sharing information.
- If presented with the correct paperwork you would have to disclose the requested data to courts or the police for example.
- For more details visit: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/public-task/
6. Legitimate Interests
- For small businesses, the lawful basis of legitimate interests will be crucial. It is flexible, but it also complicated. As described by the IOC there is a three-part test to ascertain this legal basis;
- Identify a legitimate interest
- Show that the processing is necessary to achieve it
- Balance it against the individual’s interests, rights and freedoms.
- A good gauge for legitimate interest is would the recipient reasonably expect to receive the information/marketing? If you send to an existing client, they probably would. If you send to someone, who has enquired about your services they probably would. (Here you need to think about how long you hold the information as this will affect the ‘reasonable expectancy’ of the individual)
- Please note legitimate interests is not a ‘get out of jail free’ card. It is about balancing your needs with the individuals and showing thought and consideration. For example, you can’t just bombard a client continually because they are a client. Your processing of their data should be used carefully and mindfully.
So what can you do practically to justify your lawful basis for holding and processing information under GDPR?
Look at the list of personal data you hold and process and think about why you keep this data. What lawful basis would it come under?
Check your consent procedures
- Do you explain what they are signing up for?
- Do you state what they might receive from you? E.g. consider wording like; Do you give consent to receive our newsletter, emailers and relevant offers and promotions?
Have you set guidelines for how long you will keep their data?
- Ask yourself what the length of time would still be appropriate for us to make contact?
- This will depend on your industry and service and product.
- Don’t forget to consider clients, prospects and employees separately.
Where you have stated, legitimate interests document your reasons why
- Why is it acceptable for you to contact them?
- Why is the information relevant to them?