To process or not to process? Now that’s the question!
Because if it’s personal data, you need a valid lawful basis to do so…
Even though we have no relation whatsoever to that great writer, we thought we’d go all Shakespeare on you:
“Better three hours too soon than a minute too late…”
We’re not sure what the Bard of Avon would have made of GDPR but we’re pretty sure he’d have seen the sense in being prepared for it.
Because, with the updated data protection regulation soon coming into effect – with more emphasis on accountability and transparency in how and why you process data – now is the time to review and bring your processing in line with it. Before it’s too late.
If you process personal data, you must have a valid lawful basis to do so – it’s not just about consent!
Ahead of GDPR Day on 25th May, anyone who processes personal data needs to have a clear and documented rationale as to why they are processing it, and be sure that it still correctly applies. And, it’s not just confined to gaining individuals’ consent – your reason (or reasons) needs to be lawfully recognised!
There are six lawful bases for processing data, and they remain fairly similar to the old conditions.
No single basis is ’better’ or more important than the others; whichever basis is most appropriate for you to use will depend on your purpose for processing the data, and your relationship with the individual.
However, you first need to ensure that you’ve proactively reviewed your approach and can justify it accordingly. Otherwise you’ll be in breach of GDPR compliance.
If you find that your old condition for processing is no longer appropriate under the GDPR, or identify that a different basis is now more suitable, that’s okay – you can change it. However, once you’ve established your basis, there should then be no need to swap to a different one in the future without good reason.
Either way, it’s a one-off opportunity to ensure you’re doing things right, so act now!
So, to help you work out whether you’re using the right lawful basis to process personal data (and at least one of them must apply), here they are, as published by the Information Commissioner’s Office:
Consent basis
The individual has given clear consent for you to process their personal data for a specific purpose.
Contract basis
The processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
Legal obligation basis
The processing is necessary for you to comply with the law (not including contractual obligations).
Vital interests basis
The processing is necessary to protect someone’s life.
Public task basis
The processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
Legitimate interests basis
The processing is necessary for your legitimate interests, or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
Some final thoughts…
Hopefully, you’ve found this helpful and are lawfully on top of your processing.
For some final peace of mind, then, consider these few additional questions:
Have you reviewed why you need to process personal data, and selected the most appropriate lawful basis (or bases) to do so?
Have you checked that your processing is actually necessary, and satisfied that there’s no other reasonable way to do it?
Have you documented your decision on which lawful basis applies to help you demonstrate GDPR compliance?
Have you included information on your purposes for processing and its relevant lawful basis in your privacy notice?
Still unsure? We’re here to help!
If you think you could still do with a hand, please get in touch – we’re here to help.
The last thing we want is to hear that you’ve fallen foul of the new regulations or see you in headlines that read “Alas, poor [insert company name here]. They are no more…”
Instead, make GDPR your friend and embrace it. As we like to say here at Databasix: “If data be the food of love, process on…” Legally, of course.
Until next time…