Published on Sep 23, 2021
Over several articles, we've been writing about different tips for implementing GDPR. In the series, we're focussing on how to conduct a GDPR audit. This is an activity all organisations should be familiar with, not just at the outset but in an ongoing capacity in the drive for optimum data compliance. In our last article we looked at data mapping and discovering what personal data your organisation holds, why it's retained, along with where and how it's being stored.
Now we're turning our attention towards establishing the lawful basis for processing personal data you hold. The processes outlined herein will also be of benefit when commencing a new project, as part of a data protection impact assessment (DPIA), and when implementing appropriate organisational measures to ensure data protection by design and default.
The starting point is that unless one of the conditions set out in Article 6 of the GDPR is met, the processing of personal data is illegal. And if you are processing special categories of data, Article 9 lists an additional ten exemptions of which at least one is required along with an Article 6 condition to enable lawful processing. Five of these exemptions involve further requirements to be satisfied under Schedule 1 of the Data Protection Act 2018.
Now, before you throw your hands up in the air and curse the day regulations were ever invented, let us reassure you that once you understand the requirements, developing policies and procedures to ensure compliance is relatively straightforward. And, if you focus on creating a culture of data protection and privacy compliance throughout your business, lawful processing will become second nature.
Under Article 6 at least one of the following must apply for the processing of personal data to be lawful:
Contrary to popular belief, businesses will often rely on several legal bases for different processing activities being carried out across individual departments. While consent is one of the more commonly used purposes, it is not always required or appropriate. For example, it is essential to process personal data for the performance of a contract or a legal obligation to ensure that normal operations can continue. In the same way, vital interest provides the lawful basis to hold emergency contact information of employees or customers.
For the remainder of the article, we will examine consent and legitimate interests in closer detail as these are the two lawful bases that cause the most confusion. We're also going to look at the soft opt-in rule under privacy and electronic communications regulations (2003).
To clarify the definition of consent, we need to look at Article 4 (11), which states:
You also need to be aware of Article 7 which sets out the conditions for obtaining consent, and what that means in practice:
In short, keep a record of where and how consent was given.
Don't obfuscate or bury requests for consent, be transparent and open, or else it may not count.
You must provide clear and unambiguous information about how to withdraw consent when first requesting permission to process the personal data. Ensure you explain how to make such a request and include details within your privacy information. Additionally, you can create an internal procedure to manage the data subject's withdrawal of consent under the GDPR so that staff knows how to handle the request efficiently.
Requiring consent should not be used as a pre-condition for making a purchase or accessing a service, especially if the data isn't strictly necessary. Moreover, where personal information is required to deliver a solution, product, or service, the more appropriate legal basis for processing personal data would likely be the performance of a contract.
Your policies and procedures around obtaining consent should be drafted with Article 7 in mind. While considering the above for marketing communications, it is also worth looking at the soft opt-in rule under PECR.
Under the Privacy and Electronic Communications Regulations (PECR), you cannot send marketing emails, texts, or, in some circumstances, make calls, for example, where someone has registered with the telephone preference service (TPS) unless you have their consent. That said, PECR does provide what is known as a soft opt-in for electronic mail.
Essentially, this means that if someone has made a purchase or expressed an interest in making a purchase online (the ICO defines this as negotiating for a sale in its direct marketing guidance) and has given you their email, you can assume they will not object to receiving information or communications about similar products. You must, however, offer them a clear opportunity to opt-out when you acquire their information in the first place and in every communication you send after that.
In the specific situation of including marketing content within newsletter emails, the law has recently been clarified. There are no longer any grey areas when it comes to the sorts of information that may be distributed to a newsletter readership. We wrote about the legal ruling to provide certainty to marketers and business owners about what they can or cannot include in their newsletter communications.
Although there are many applications where using legitimate interests may be appropriate, determining to use legitimate interests is a more complex process than for other legal purposes. For many businesses, this can be off-putting, but it doesn't need to be so.
Businesses can rely on legitimate interests as a reason to process personal information where they can demonstrate the decision-making balances the interests of the controller and the rights of data subjects.
If you are planning to use legitimate interests, you will need to conduct a Legitimate Interests Assessment (LIA). This is a light touch risk assessment. Although it is not a mandatory requirement, it is difficult to meet the GDPR accountability requirement without it.
Although there is no standard format for conducting an LIA, the ICO recommends following the below three-part test:
For the purpose test, consider why you want to process the data and what you are trying to achieve. You will need to take into account who benefits from the processing, whether this includes the wider public, and if so, how exactly. Conversely, what would be the impact of not processing the information?
Next, the necessity test looks at whether the processing is necessary for the purpose. Examine how your interests are furthered and if the processing is a reasonable means for securing those interests, or could a less intrusive way achieve the same result.
Lastly, the balancing test is intended to help you decide whether the data subject's interests override the legitimate interest. Here you will need to consider your relationship with the data subject, the types of data being processed, and whether it is special category data or children's data. If asked, would you be comfortable explaining why you are using personal data for the purpose in question, and would people think it is reasonable? You should also consider the impact on the individual, whether they are vulnerable in any way and what safeguards can be implemented to mitigate or minimise the impacts.
Several EU GDPR recitals (47, 48, 49, and 50) provide examples of types of processing that could be necessary for the legitimate interest of a controller. These include fraud prevention, network, and information security, indicating possible criminal acts or threats to public security. The Government Data Quality Hub recently published details of a legitimate Interests Assessment it performed using the ICO’s template.
Establishing the lawful basis for processing personal data is a great example of why the data protection officer or lead should possess a thorough understanding of privacy laws combined with the experience of how the business operates. It is for this reason, we recommend implementing a long-term GDPR training, learning, and development programme to ensure that employees with data protection responsibilities develop their privacy skills alongside knowledge of the business and the industry sector.
Once you have established the lawful basis/s for processing personal data you hold, the next steps are to review your external notification and transparency documentation and create or review internal policies and procedures. We will cover all these steps in our next article.
To find out more about data protection and privacy law training, please email us at firstname.lastname@example.org or call 0370 04 27701.
Freevacy has been shortlisted in the Best Educator category. The PICCASO Privacy Awards recognise the people making an outstanding contribution to this dynamic and fast-growing sector.