Table of Contents
If your business processes personal data, data law compliance should be a top priority. The UK General Data Protection Regulation (‘UK GDPR’) is the law governing the use of personal data. Under the UK GDPR rules, an organisation must determine a lawful basis (or bases) for processing personal data before beginning to process it. Otherwise, you risk facing serious fines. This article will explore what a lawful basis for processing personal data is.
What Are the Lawful Bases?
Processing personal data is only lawful if the data protection law rules allow it. The UK GDPR rules set out six lawful bases for processing personal data. Therefore, you must establish at least one of the following bases to process personal data lawfully. Notably, it is up to your organisation to determine which lawful basis for processing personal data is appropriate.
1. Consent
Consent is when your customer or employee has clearly accepted your business’ decision to process their personal data for a specific purpose. The person must give their consent:
- freely;
- for the specified purposes your business outlines; and
- in an informed manner, meaning they understand the implications of providing consent.
When relying on consent, you will need to keep appropriate records. You should keep clear records of:
- what an individual has consented to; and
- when and how the consent was obtained so that you can demonstrate compliance in the event of a complaint.
Consent given once cannot ‘last forever’. Instead, how long consent remains valid depends on the circumstances, such as the:
- context in which an individual gave consent; and
- expectations of the individual who gave their consent.
2. Contract
Another legal basis for processing personal data is to perform a contract. You can rely on this basis if you need to process personal data to:
- perform a contract, such as delivering a service; or
- comply with the data subject’s demands, such as providing a quote.
The processing must be ‘necessary’ for the performance of the contract.
Some common examples of this include:
- using a customer’s banking and contact details to send them an invoice to pay for services under a contract; and
- an employer using an employee’s personal data to fulfil their obligations under the employment relationship, for example, to pay the employee a salary.
3. Legal Obligations
You can also process personal data if it is necessary to comply with the law. For example, this ground could be used where an employer needs to comply with its legal obligations to disclose employee salary details to HMRC.
4. Vital Interests
Processing personal data is also lawful where it is necessary to protect someone’s life. For example, if someone has an accident and you need to share their details with medical staff in an emergency, processing personal data would be necessary. However, in practice, this legal basis is very limited in scope.
5. Public Task
Another basis you can rely upon to process personal data is to perform a task in the public interest or for your official functions where the task or function has a clear basis in law.
This ground usually applies to public authorities and is unlikely to apply to commercial organisations.
6. Legitimate Interests
In some instances, processing personal data is necessary for your legitimate interests or the legitimate interests of a third party. However, such interests cannot outweigh the rights of the data subject.
Where you rely on this ground, you must conduct a legitimate interest assessment. A legitimate interest assessment is a three-part test. The test involves:
- identifying a legitimate interest;
- showing that your processing is necessary to achieve the interest; and
- balancing that against the individual data subject’s rights.
In practice, this is a very flexible ground under the UK GDPR. An example where businesses rely on this ground is when processing personal data for direct marketing activities.
How Should Businesses Process Personal Data?
You must determine your lawful basis before you begin processing personal data. Once you have considered the appropriate lawful basis for which you will process personal data, you should document this. For example, you can include this in your Record of Processing Activities.
You should also set out your lawful bases for processing personal data in your Privacy Policy document. If your purposes for processing personal data change, you will generally then need to consider a new lawful basis.
Special category data, criminal conviction data, and data about offences require additional consideration. When processing these types of data, extra legal rules apply in addition to considering the appropriate lawful basis for processing.
This factsheet sets out how your business can become GDPR compliant.
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.
Key Takeaways
In order to process personal data, your organisation must determine an appropriate ‘lawful basis’ for processing that data. You should identify an appropriate lawful basis before your organisation processes personal data. Lawful bases for processing should be documented. For example, they should be laid out in your organisation’s Privacy Policy.
If you need help complying with the UK GDPR compliance, our experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.
We appreciate your feedback – your submission has been successfully received.