This e-book chapter is derived from a full GDPR course I created that has had over 11,000 student enrolments. I thought it would be useful to provide a version on Medium. Data protection law can be complex and an e-book cannot be sure to cover your organisation’s circumstances, so be sure to seek professional advice if you have any doubts when processing personal data.
In this chapter I cover the lawful reasons for processing personal data.
The GDPR is based upon the fundamental idea that any organisation that is involved in using personal data must have a lawful basis of processing for each activity it undertakes. This means that an organisation’s reason for processing data must be legal.
The regulation defines the lawful bases of processing that are available. Any processing activity that uses personal data must fall into one of the categories allowed by the regulations. Each one of these categories is called a “basis of processing”.
The basis of processing must be understood before processing takes place. It should be communicated to the individuals before processing takes place, normally communicated as part of a fair processing privacy notice. Organisations cannot decide the basis of processing “on the fly” as this shows that the basis of processing was not understood in advance.
Any organisation that is processing personal data belonging to EU citizens needs to consider three questions;
1. What personal data is being processed?
2. Why is the personal data being processed?
3. Which lawful basis of processing applies?
The last question is fundamental, it’s not good enough for organisations to know why they process personal data, they must also determine that the reasons have a lawful basis.
These questions must be considered before processing takes place and the results should be written down. Throughout this book, expect to see more references to the need to keep records of decisions; this is to help fulfil the accountability requirement.
Before we explain what these bases mean, it’s important to note that there is a subset of personal data called special categories of personal data, which includes things like details on someone’s health. This data cannot be processed unless the organisation falls within an exemption. We will discuss this a little later.
What are the lawful reasons?
The GDPR defines six different bases of processing that can be used to show the legality of data processing.
· Legitimate interests
· Vital interests
· Public task
Each one of these is a justifiable reason for processing personal data. For each type of personal data processing an organisations carries out, it must select the most appropriate basis. There is no preferable basis and one is not better than the others; it solely depends on what data the organisation is processing and the reasons why.
The requirement to have a lawful basis in order to process personal data is not new. In the UK it replaces and mirrors the previous requirement to satisfy one of the ‘conditions for processing’ under the Data Protection Act 1998. However, the GDPR places more emphasis on being accountable for and transparent about your lawful basis for processing.
The principle of accountability requires you to be able to demonstrate that you are complying with the GDPR, and have appropriate data processing governance. This means that you need to be able to show that you have properly considered which lawful basis applies to each processing purpose and can justify your decision.
Each and every one of an organisation’s processing activities must be covered by one or more of these reasons for processing. If you are responsible for the task, you will need to review your existing processing and any new processing planned, identify the most appropriate lawful basis and check that it applies. In many cases it is likely to be the same as the existing conditions for processing.
If no lawful basis applies to your processing, your processing will, unsurprisingly, be unlawful and in breach of the first principle. Individuals also have the right to have personal data which has been processed unlawfully erased.
In order to choose the right basis of processing, it’s important to understand what each basis is for, so let’s dig into them in a little more detail.
The data is used to fulfil an obligation that an organisation has under the law. For example, in the UK, Health and Safety legislation mandates that records about accidents must be held, thus providing a legal basis of processing.
The data is used to fulfil a Contract that the individual has entered into. For example, when a customer buys an item online, the seller must handle the customer’s personal data in order to deliver the item to them.
The data is used in the interests of the organisation and this interest can be justified. For example, a warehouse may record CCTV images of people passing by its loading bay. The owners of the warehouse can justify their data collection, including images of identifiable employees and suppliers, as a crime prevention measure and can record a Legitimate Interest basis of processing. The Legitimate Interest basis of processing is an area where people may dispute the legitimacy of the organisation’s decision. Each legitimate interest decision must balance the rights of the organisation against those of the data subject and the decision must be documented. Any challenge to the basis of processing should examine whether the balancing exercise has been correctly carried out.
The data can be processed because the data subject has given their consent for the processing to take place. Social media platforms are a good example of organisations that process personal data with the permission of data subjects. The Consent basis of processing comes with additional obligations for organisations and extra safeguards for data subjects.
The GDPR raises the bar for what constitutes a “proper” consent, ensuring that the consent has been given freely and with the data subject’s full knowledge. This means that certain common practices, such as opt out boxes, that have been used by organisations in the past are no longer allowed if consent is sought.
The data must be processed in order to protect life. For example, it may be necessary to handle personal data for someone who is subject to a medical emergency. In this case, the regulations are not meant to be a barrier to the overriding need to protect life.
Some organisation are obligated to handle data in order to perform their allotted roles in public life. The police are a good example of an organisation that must process data in order to carry out their duties.
The requirement for “necessary processing”
Many of the lawful bases for processing depend on the processing being “necessary” for their legality. This is certainly the case when relying on “legitimate interests”. This does not mean that processing always has to be essential. However, it must be a targeted and proportionate way of achieving the purpose.
The lawful basis will not apply if you can reasonably achieve the purpose by some other less intrusive means. For example, you might be able to achieve a marketing goal by leafleting all customers at an Annual General Meeting instead of holding a separate marketing database and sending the leaflets by post.
The test is whether the processing is a necessary for the stated purpose, not whether it is a necessary part of your chosen method for pursuing that purpose. Documenting why it is necessary, rather than simply understanding this or assuming it, is therefore an important step in achieving compliance.
Answering the following questions should help you to determine whether your processing is necessary;
· Have you determined what your purpose for processing is and what you are trying to achieve?
· Have you checked that the processing is necessary for the relevant purpose, and are satisfied that there is no other reasonable way to achieve that purpose?
· Have you considered whether you have a choice over whether or not to process the data? This could be important in assessing whether you have one or more options for a basis for processing.
How to choose an appropriate Basis of Processing
Determining which lawful basis applies depends on the specific purpose and context for processing. You should consider which lawful basis best fits the circumstances. As mentioned earlier, no basis should be seen as always better, safer or more important than the others, and there is no hierarchy of preference in the order of the list in the GDPR. The UK Information Commissioner has been clear that none of the bases of processing are better than the others and organisations are free to use whichever is appropriate. In reality, contractual, legal, public tasks and vital interests processing are the easiest to determine. When looking at these activities, it should be obvious that they fall under these basis of processing options.
This is important as there has been so much coverage of the need for “Consent” in the media that people are beginning to think that it’s the most important basis of processing.
Under the GDPR regime every business should consider the principles before processing personal data. Think of it as a part of the decision making process. Obviously, the vast majority of people working through GDPR compliance are likely to already be processing personal data. In this case, as a part of building a compliant position, existing processing should be subject to the same analysis.
Whether you are about to process personal data or already processing data (either in line with the old Data Protection Act or under the new regime), it is still a good idea to take a step back and consider how you would measure up against the principles if you were about to process data for the first time. This thought process can help you to develop a clear view of what risks your processing entails.
When an organisation is thinking about the basis of processing for their activities, it is important that they pick the option that fits the activity best. It’s no point them choosing a legal obligation as the lawful basis of processing when no legal obligation exists.
Let’s take an example; If an organisation processes personal data in order to fulfil a contract, perhaps in order to fulfil orders from customers, it is reasonable for them to assume that they are processing under the contractual basis of processing provided they don’t process more data than is required to perform the contract.
If none of the bases for processing appears to fit the activities then the organisation should consider if the processing passes the legitimate interests test or indeed whether the processing activities it is undertaking are lawful.
You might consider that more than one basis applies, in which case you should identify and document all of them from the start, but you must not adopt a “one size fits all” approach.
The following process flow can help you to identify an appropriate basis of processing. Think of this as an “at a glance” way of categorising well-understood processing. Working through the questions will generally provide a clear view of your processing activities.
Figure 1 — Basis of Processing Ready Reckoner
Where you have processing that is difficult to categorise, we recommend that you consult the ICO’s website and their guided questionnaire that will help you to narrow down the appropriate basis of processing.
Recording your Basis of Processing
In order to meet the requirement for recording your basis of processing, you need to keep a record of which basis you are relying on for each processing activity you undertake. You should also document the justification or reason why you believe that basis applies. It is your responsibility to ensure that you can demonstrate which lawful basis applies to the particular processing purpose.
There is no standard form for recording this. You simply need to ensure that what you record is sufficient to demonstrate that a lawful basis applies. A simple narrative accompanied by any evidence is probably appropriate. If you’ve used the ICO’s basis of processing interactive questionnaire then the result of that would form a good piece of evidence!
As mentioned in the section about processing records, your processing record or data asset register is the logical place to hold this information. Documenting this information will help you comply with accountability obligations, and will also help you when writing your privacy notices.
There’s an important point here; your processing records and your privacy notices you give to data subjects must be synchronised, otherwise you are open to the charge of not being transparent in your dealings with your data subjects. By holding the relevant information in a single location, you are likely to reduce the risk of difference being accidentally introduced.
As mentioned, the GDPR is not specific about the format of the processing records, but for most organisations some kind of electronic record is the best approach. Whilst a number of vendors have brought specific tools to market, in all likelihood, for most organisations something like a spreadsheet will be perfectly adequate.
If you are using standard office products to create and store your processing records, you should ensure that appropriate version control and protection are place around these important regulatory records. You should ensure that backups are held in case of corruption or loss of the original.
Tell your data subjects
Once you have determined and documented your basis of processing, you must inform the data subjects about your lawful basis for processing their personal data. If this is existing processing, this should have been communicated to individuals by 25 May 2018 and you should have ensured that the information is included in all current and future privacy notices.
In line with the accountability principle, a written record of the lawful basis for processing decision should be kept. This will help with creating privacy notices and will act as a reference point if the lawful basis for processing is ever challenged.
You will be in breach of the GDPR if you do not clearly identify the appropriate lawful basis for processing from the start of your processing.
If you have failed to provide appropriate privacy information to your data subjects prior to GDPR implementation on 25 May, then this will place you in breach of the regulation, and the best course of action will be to remedy the breach as soon as possible by creating compliant privacy notices. This should be provided to all people whom you process personal data for.
Other things to consider
The different basis of processing options may require you to consider various aspects of your processing. Different factors may apply if your processing under Legitimate Interests or Consent, so let’s take a specific look at some of the things you may need to consider.
· Do you know who your processing benefits (This will be important if relying upon legitimate interests and balancing your interests against those of the individuals)?
· Have you considered whether individuals would expect this processing to take place? For example, would a customer in a coffee shop expect their photograph to be taken as they stand at the counter?
· What is your relationship with the individual? A customer may expect processing to take place, a total stranger may not.
· Do you know the impact of processing on the individual (For legitimate interest processing the impact on the individual must not outweigh the legitimate interest of your organisation)?
· Have you determined whether some of the individuals are likely to object to the processing (If so, legitimate interests may not be an appropriate basis for processing)?
· Are you able to stop the processing at any time on request (This may be important for relying on legitimate interests and also the ability to offer data subjects their enhanced rights)?
· Have you considered whether you are in a position of power over the individuals (If so Consent may not be appropriate as people may feel obligated to give their consent, breaking the “freely given” element)? For example, requesting consent from employees may be artificial as they may feel that their future career may be jeopardised if they are non-cooperative.
· Have you determined whether the individual is vulnerable (Consent may be difficult to obtain from a vulnerable individual)? For example, does someone with learning difficulties understand enough about what you are asking?
· Are you able to stop the processing at any time on request (This may be important if you are relying on Consent, as consent can be withdrawn at any time)?
Remember, it is perfectly possible that more than one basis applies to the processing “fit” your processing activity; if this is the case then you should identify this and make this clear from the start.
Changing your chosen Basis of Processing
You must be careful about choosing the right basis as unpicking a wrong decision could be awkward. The reason for this is that retrospectively switching lawful basis is likely to be inherently unfair to the individual and lead to breaches of accountability and transparency requirements because data subjects may have permitted you to process their personal data under the wrong pretext.
If you do get it wrong once the GDPR is in effect, it will be harder than it was under the Data Protection Act to swap between lawful bases if you find that your original basis was invalid. Serving an updated privacy notice may be sufficient if there is no detriment to the individuals, but if there is any identified detriment you may need to consider seeking a new agreement to carry out the data processing.
This being said, sometimes it may be necessary to adjust your basis of processing once processing has started. If there is a genuine change in circumstances or you have a new and unanticipated purpose which means there is a good reason to review your lawful basis and make a change, you need to inform the individual and provide an updating your privacy notice. You should also document the change and the reasons it became necessary.
As a general rule, if you have a new purpose for existing data and, if the new purpose is different from the original purpose, would be unexpected or would have an unjustified impact on the individual, then it is unlikely to be compatible with your original purpose for collecting the data. In this circumstance, you need to identify and document a new lawful basis to process the data for that new purpose. You will also need to consider whether the new process is fair and transparent and make sure you give individuals information about the new purpose. This is an area where some companies, especially start-ups, can get themselves into difficulty if they change their business model or seek further sources of revenue.
For example, if you have collected personal data from individuals for the purpose of providing an online banking service, it would not be appropriate to market plumbing supplies to the customers, as this is an entirely different purpose that will have a different legal basis for processing.
However, you may want to use their data for research to improve the online banking product, and if this wasn’t explained to them when they signed up for the service, it may be sufficient to simply provide a further processing notice the next time they use the service to confirm that product improvement research will be carried out and that by using the service they agree to this.
Basis of processing for Special Personal Data
Certain personal data that is considered more sensitive is given special protection by the GDPR. Imaginatively, this category of data is known as “special personal data”. It is similar to the concept of “sensitive personal data” under the old UK Data Protection Act.
As a general rule, the regulation prohibits processing “special personal data” unless the organisation’s activities falls into one of the exemptions that allow processing to take place.
The special categories of personal data are as follows;
· Race and ethnic origin
· Affiliation information such as politics, religion and trade union membership
· Identifying markers such as genetics and biometrics
· Health information, sexual activity and sexual orientation
Any processing within these categories is expressly prohibited unless the organisation meets one of the exemptions under the GDPR or, in the UK, the UK Data Bill.
For most organisations, the exemptions to processing “special personal data” that are most likely to apply are;
· Processing with explicit consent
· Processing to follow employment obligations
· Because the person has made the data public
· To complete duties to engage in crime prevention activities, such as fraud prevention
Organisations should not process any data in the special categories unless they have clear evidence that the exemptions apply to their particular circumstances. If you process special personal data you may want to seek expert advice as the penalties for processing this data unlawfully are likely to be greater than for other types of data.
If you enjoy reading stories like this and want to support me as a writer, consider signing up to become a Medium member. It’s $5 a month, giving you unlimited access to stories of Medium. If you sign up using my link, I’ll earn a small commission.
Here are the links to the rest of the book.