Lawful processing reasons
Processing personal data will only be permitted when it is lawful to do so and Article 6 of the GDPR allows processing on the following six grounds:
2. Necessary for performance of a contract
3. Necessary to comply with a legal obligation
4. Necessary to protect the vital interests of an individual
5. Necessary for performing public interest or official task
6. Necessary for the purposes of legitimate interests
Where an organisation needs to process for the performance of a contract or to comply with a legal obligation the lawful processing reason will usually be self evident. Grounds 4 and 5 will be the least used in the business sector. It is the consent and legitimate interests grounds that will attract most discussion about their functionality and genuine use as a lawful processing ground.
Consent may be seen as the most risk free and certain option, but the GDPR sets a high standard for consent as a lawful processing ground. Consent moves from a static, one-off, tick box consent to process all personal data received, to a dynamic, ongoing and active choice requiring affirmative action as it is the individual that controls when, why and to what they are consenting.
Consent is defined in Article 4(11) as:
“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her;”
Relying on consent as a lawful processing ground will be useful in respect of legitimising the use of special
category data and effecting overseas transfers, but this needs to be balanced against the ability of the individual to withdraw consent, and difficulties of ensuring and recording that consent has been given for the correct reason.
The ICO published final guidelines on the use of consent on 9 May 2018 - you can read them here.
In the absence of the contract performance or legal obligation grounds, processing personal data without consent in the private sector is permissible where there is a genuine and legitimate reason why the personal data is being processed and there is no unwarranted impact on the individual. In such circumstances, the legitimate interests processing ground can be used.
The Recitals of the GDPR give examples of where processing may be considered a legitimate interest, these include:
> Processing for direct marketing purposes (caution required with PECR legislation)
> To transmit personal data on an intra-group basis for internal administrative purposes
> Prevention of fraud
> Reporting of criminal acts
> For the purposes of ensuring network and information security
The GDPR’s accountability principle makes it clear that organisations need to be able to demonstrate what lawful processing ground(s) is/are being used for the particular kind of personal data being processed.
Most organisations are likely to be processing the personal data of employees, contractors,customers, individuals connected with their suppliers. Personal data is as simple as a work email address provided it identifies the individual. Identifying and keeping written records why personal data needs to be processed is key to GDPR compliance.