GDPR: Lawfully Processing Data
GDPR is still a prominent concern, especially as many organisations now regularly process large volumes of data. So, do you need to obtain consent from an individual to enable your organisation to process that data?
With the new regulations in place most people would assume yes, however the correct answer is: not always.
An organisation can process data without obtaining an individual’s consent provided they have a valid reason for processing that data. There are only six lawful reasons under which your organisation can process data without having to obtain consent.
Between 25th May 2018 and 10th January 2019, the ICO issued 57 monetary penalties (24 enforcement notices, 16 prosecutions and 12 undertakings). This demonstrates the importance of your organisation ensuring it accurately assesses the basis upon which it is processing data.
The six lawful processing reasons are:-
- Contractual basis
Processing data on a contractual basis is probably the most time effective method for demonstrating the organisation compliance in relation to processing data. You will have evidenced, by your contract, that you are processing data in accordance with the contractual terms. The processing of data is in order to fulfill that contract. However, care should be taken not to process data after a contract has been concluded, or beyond the scope of the contractual provisions.
It is therefore important that the organisation’s contracts have been reviewed and updated to be compliant with GDPR. This includes internal (i.e. employee contracts, policies) and external (i.e. providing goods and/or services to others), or even data sharing agreements with those with which you regularly share information.
- Legal obligations:
If your organisation has employees, it will be required to process data in compliance with its legal obligations, for example processing information with HMRC or pension providers.
Alternatively, you may receive a court order or a request for disclosure by the Police.
In these circumstances, you do not need to obtain consent from an individual to process data.
- Consent
Should your organisation rely on consent to process data, then unfortunately the requirements to demonstrate compliance are much more onerous.
Your organisation will need to demonstrate not only that you have obtained consent, but also that the consent was obtained with the individual clearly understanding how their data would be used, and with whom it would be shared.
This consent must be positive consent. Organisations can no longer rely on silence or pre-ticked boxes. This consent must be regularly reviewed and checks in place to ensure that the processing does not exceed the purposes for which consent was given.
It is therefore important that your organisation has a suitable privacy policy which details the lawful and valid reason(s) under which data is processed. The organisation should also have internal procedures in place for checking and reviewing.
Remember, consent can also be withdrawn, which would mean that you would have to cease processing the data.
Note: It’s not advisable to swap between your lawful reasons for processing data. If you begin processing data under consent, avoid changing to contractual obligations, unless you can demonstrate a valid reason for doing so.
- Legitimate business interests
Care should be taken if you intend to process data under legitimate business interests to ensure you are processing data (in a low risk processing scenerio) in a genuine situation, rather than hoping to circumvent the hurdles of compliance in respect of the other lawful reasons.
A legitimate business interest must be using data in a manner in which that individual could reasonably anticipate or expect. Therefore if you intend to process data in this way, you should consider having in place evidence to document your justification should any individual object.
The ICO provides an example of a legitimate business interest of being able to process data for emergency contacts for its employees. Similarly schools and nurseries may have emergency contact details.
Some limited connected marketing may fall within legitimate business interests. The ICO provide the following example of this type of marketing:
Example: Last month you made a one-off donation to a charity and as part of this you gave them your address. The charity decides that it has a legitimate interest to process your address details to send you a fundraising letter by post. It believes that you would reasonably expect to hear from them and that the privacy impact on you is minimal but it includes details of how you can opt-out within the mailing. The charity relies on the legitimate interests basis to send the fundraising mailing to you.
Great care should also be taken if you purchase or obtain data from third parties, such as marketing lists, to ensure that the details contained have been obtained and shared lawfully.
- Vital interests and 6. Public administration
Only organisations or public authorities (e.g. councils, NHS, etc.) who process data to either protect an individual’s life, or perform a task or official functions in the public interest, will be relying on these lawful reasons for processing data.
As you can see, these six reasons can be complex. You need to ensure your organisation has opted for the most appropriate route, and that it meets all the necessary requirements within it.
If you need support to understand or meet the regulations then contact GA Solicitors. We can assist you with GDPR compliance, guidance on reporting and also employee sanctions if required, ensuring all activities are in compliance with the law.
Call 01752 203500 or email me directly via donna.butler@GAsolicitors.com.
All content on this website (inclusive of guides, blogs and imagery) is strictly copyrighted by Gill Akaster LLP, trading as GA Solicitors. It is not to be used by any third party without prior contact and permission. Any requests for content should be sent to katy.mckenna@GAsolicitors.com.