GDPR: Why do you hold personal data?

According to the General Data Protection Regulations (GDPR), there is six lawful basis for us to hold and process data.

This is simply, do you have permission? GDPR however, really tightens up the rules around consent.
Pre-ticked boxes or confusing statements will no longer be classed as consent. You need to tell people precisely what they are signing up for and always offer them a simple method of opting out should they so wish.
For more details visit https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/consent/

Not as much has changed here. You still have a contractual basis to hold and use data if you need it to fulfil a contractual obligation or to enter into a contract, e.g. providing a quote.
You do not need the agreement written down, but the information you use must be necessary, e.g. you need an address to deliver a product, but you don’t need the individual’s preference or interests. If you want the latter for targeted advertising, you would need to gain consent for this. The bank details of your employees are also necessary for you to provide the contractual agreement for payment.
For more details visit https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/contract/

This is data you hold required to fulfil a legal obligation. For example, keeping personal data for your employees is a requirement of the HMRC.
For more details visit https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legal-obligation/

This is really to do with life and death situations. Next of kin details, for example, are necessary under vital interests.
For more details visit https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/vital-interests/

This is most relevant to public authorities, but it can apply to smaller businesses particularly regarding sharing information.
If presented with the correct paperwork you would have to disclose the requested data to courts or the police for example.
For more details visit: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/public-task/

For small businesses, the lawful basis of legitimate interests will be crucial. It is flexible, but it also complicated. As described by the IOC there is a three-part test to ascertain this legal basis;
- Identify a legitimate interest
- Show that the processing is necessary to achieve it
- Balance it against the individual’s interests, rights and freedoms.
A good gauge for legitimate interest is would the recipient reasonably expect to receive the information/marketing? If you send to an existing client, they probably would. If you send to someone, who has enquired about your services they probably would. (Here you need to think about how long you hold the information as this will affect the ‘reasonable expectancy’ of the individual)
Please note legitimate interests is not a ‘get out of jail free’ card. It is about balancing your needs with the individuals and showing thought and consideration. For example, you can’t just bombard a client continually because they are a client. Your processing of their data should be used carefully and mindfully.

To do;

Look at the list of personal data you hold and process and think about why you keep this data. What lawful basis would it come under?

Check your consent procedures
- Do you explain what they are signing up for?
- Do you state what they might receive from you? E.g. consider wording like; Do you give consent to receive our newsletter, emailers and relevant offers and promotions?
- Do you refer to the privacy policy? (We’re covering this on the next blog)

Have you set guidelines for how long you will keep their data?
- Ask yourself what the length of time would still be appropriate for us to make contact?
- This will depend on your industry and service and product.
- Don’t forget to consider clients, prospects and employees separately.

Where you have stated, legitimate interests document your reasons why
- Why is it acceptable for you to contact them?
- Why is the information relevant to them?

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_UA-4460635-1	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.