Comedy or Tragedy?

To process or not to process? Now that’s the question!

Because if it’s personal data, you need a valid lawful basis to do so…

Even though we have no relation whatsoever to that great writer, we thought we’d go all Shakespeare on you:

“Better three hours too soon than a minute too late…”

We’re not sure what the Bard of Avon would have made of GDPR but we’re pretty sure he’d have seen the sense in being prepared for it.

Because, with the updated data protection regulation soon coming into effect – with more emphasis on accountability and transparency in how and why you process data – now is the time to review and bring your processing in line with it. Before it’s too late.

If you process personal data, you must have a valid lawful basis to do so – it’s not just about consent!

Ahead of GDPR Day on 25th May, anyone who processes personal data needs to have a clear and documented rationale as to why they are processing it, and be sure that it still correctly applies. And, it’s not just confined to gaining individuals’ consent – your reason (or reasons) needs to be lawfully recognised!

There are six lawful bases for processing data, and they remain fairly similar to the old conditions.

No single basis is ’better’ or more important than the others; whichever basis is most appropriate for you to use will depend on your purpose for processing the data, and your relationship with the individual.

However, you first need to ensure that you’ve proactively reviewed your approach and can justify it accordingly. Otherwise you’ll be in breach of GDPR compliance.

If you find that your old condition for processing is no longer appropriate under the GDPR, or identify that a different basis is now more suitable, that’s okay – you can change it. However, once you’ve established your basis, there should then be no need to swap to a different one in the future without good reason.

Either way, it’s a one-off opportunity to ensure you’re doing things right, so act now!

So, to help you work out whether you’re using the right lawful basis to process personal data (and at least one of them must apply), here they are, as published by the Information Commissioner’s Office:

Consent basis

The individual has given clear consent for you to process their personal data for a specific purpose.

Contract basis

The processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

Legal obligation basis

The processing is necessary for you to comply with the law (not including contractual obligations).

Vital interests basis

The processing is necessary to protect someone’s life.

Public task basis

The processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

Legitimate interests basis

The processing is necessary for your legitimate interests, or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

Some final thoughts…

Hopefully, you’ve found this helpful and are lawfully on top of your processing.

For some final peace of mind, then, consider these few additional questions:

Have you reviewed why you need to process personal data, and selected the most appropriate lawful basis (or bases) to do so?

Have you checked that your processing is actually necessary, and satisfied that there’s no other reasonable way to do it?

Have you documented your decision on which lawful basis applies to help you demonstrate GDPR compliance?

Have you included information on your purposes for processing and its relevant lawful basis in your privacy notice?

Still unsure? We’re here to help!

If you think you could still do with a hand, please get in touch – we’re here to help.

The last thing we want is to hear that you’ve fallen foul of the new regulations or see you in headlines that read “Alas, poor [insert company name here]. They are no more…”

Instead, make GDPR your friend and embrace it. As we like to say here at Databasix: “If data be the food of love, process on…” Legally, of course.

Until next time…

The information and remarks provided in this article represent insight and guidance for best practice which is correct or valid or appropriate at time of publication.

Latest News & Events

What Is a Data Leak and How Do They Happen?

Data leaks are a serious problem for organisations and individuals. In this day and age, individuals freely provide personal information to organisations, therefore a data leak can have a significant impact on both the company and the person. They often involve the exposure of personal data (such as name, address and financial details), with additional damage to the company or organisation in terms of potential financial loss and reputational damage.

Read more

Register for News from Databasix

If you would like to stay up to date with the latest news and events from Databasix please click below, add your details and you will be added to our mailing list.

Contact Databasix

Tel 01235 838507

Databasix UK Ltd
is a registered company in England & Wales
Registration No. 08771007

Harwell Innovation Centre
Building 173
Curie Avenue
Harwell Oxford
OX11 0QG

Supported by Business Resilience secured by OxLEP Business
Supported by Business Resilience secured by OxLEP Business