GDPR and Processing Personal Data
This blog post will outline the key steps and regulations that are in place when it comes to how companies and organisations can use and process personal data and information. This blog will cover what is meant by GDPR, Personal Data, the lawful basis for processing this data, and the six key lawful bases that must be considered and followed when using an individuals data.
What is GDPR?
The updated GDPR regulation, (EU) Regulation 2016/679 was published on 27th April 2016 and applies to any company or entity within the EU which processes personal data, or any company outside the EU which offers goods, services, or is monitoring individuals within the EU. This regulation is still applicable to the UK until at least 27th June 2025.
“the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC”
What is a Lawful Basis for Processing Data?
- For consent, the individual has given you permission to process their personal data for a specific purpose.
- For a contract, the processing is necessary for an agreement you have with an individual, or they have asked you to perform specific tasks before finalising an agreement.
- For legal obligation, the processing is necessary for you to comply with other laws.
- For vital interests, the processing is necessary to protect someone’s life.
- For public task, the processing is essential to performing a task in the public interest, or for official functions.
- For legitimate interest, the processing is necessary to serve the interests of yourself or a third party, so long as there’s no good reason to protect the individual’s personal data.
For an organisation there are various considerations to be aware of when processing personal data and information such as;
Your privacy notice should indicate which lawful basis you apply for processing personal data.
You should not change which lawful basis you use without good reason, particularly when changing from consent.
In most cases, processing must be necessary.
The individual has given you permission to process their personal data for a specific purpose.
When asking for consent, the user must be able to refuse to give consent without consequence, and must be able to withdraw consent.
It is also important to keep a record of when consent was given, as well as who, how and what consent was given for.
A positive opt-in is necessary, and should offer granular options where appropriate. The terms must be clear and concise. (See Example Left)
In this context, “consequence” generally refers to the ability for the user to continue using the service. Unless the lack of consent precludes executing certain functionality (such as mailing services) the user should be able to refuse to give consent (or revoke consent) without losing access to the service.
If the terms of consent change, you may not be able to assume that consent that was previously given is still applicable.
The individual has asked you to perform a task before entering into a contract, or you require their personal data to fulfil a contractual service.
It does not matter if the individual does not enter into a contract with you, so long as the processing was done in the pursuit of a contract.
Any processing done for this purpose must be targeted and proportionate; it does not qualify if there are reasonable less-intrusive options.
The data may not be processed for other purposes, even if it serves other lawful business purposes.
A good example of pre-contract tasks include giving a quote for a service. It may be necessary to process some of the user’s personal data to draw effective conclusions.
Legitimate interests is the most flexible lawful basis for processing, but you cannot assume it will always be the most appropriate.
The individual reasonably expects you to process their personal data in this way, and it has a minimal impact on their privacy.
It may serve the interests of yourself or a third party, so long as there’s no good reason to protect the individual’s personal data.
It is important to consider why they want the information, whether they actually need it, and what they will do with it.
It does not qualify if individuals would likely object to its use if made aware.
By far the most flexible of the six lawful bases.
The UK GDPR specifically mentions use of client or employee data, marketing, fraud prevention, intra-group transfers, or IT security as potential legitimate interests, but this is not an exhaustive list. The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.