One of the things I’ve noticed recently as the conversations around GDPR heighten is that many people are not clear that there are 6 lawful bases for processing data under GDPR. Perhaps this confusion is caused by the ICO. They did not clearly outline the 6 bases in their published 12 step guide for preparing for GDPR. You have to use a link to another page to find the detail. Instead, the 12 step guide does devote an entire step to consent. This is because GDPR raises the threshold for consent. But it does not mean that consent is the only grounds for processing of data.
For clarity, step 6 in the ICO 12 step guide states:
You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
The requirement for having legal grounds for processing data is not new. However, the GDPR requires you to be more accountable and transparent about your legal basis for processing data. Also, some individuals’ rights will be modified depending on your basis for processing their personal data. This is why it is so important to audit your data and to document the type of data you hold as well as your basis for processing that data. Updating your privacy notices, clearly stating how you process data and why is essential.
As stated by the ICO, these are the 6 lawful bases for processing data under GDPR. At least one of these must apply whenever you process personal data.
1 Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
2 Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
3 Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
4 Vital interests: the processing is necessary to protect someone’s life.
5 Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
6 Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
Whichever basis your reply on for processing data, it can also affect the rights of the individuals.
This is a table from the ICO website which demonstrates how some rights will not apply, depending on the basis for your processing:
The GDPR can be quite confusing. What might be the best approach for lawful processing of data for one business, might not be the best approach for your organisation. It all depends on the type of data you hold and why you choose to process it.
If you need help making sure your marketing is GDPR compliant we can help. Start with a free marketing audit.