The GDPR Series – Lawful Basis for Processing
Entry 3 of 6
Welcome to the third blog in our 6-part series on GDPR. With so much emphasis on the new regulation and the May 25th deadline drawing closer, we wanted to offer you some assistance in addressing the key questions around the new requirements. As you know, acceptcards® are experts in payments... but not so much in data protection regulations, with this in mind we have invited our friends from Legacy IT Consultants Ltd to write this guest series on our behalf. Enjoy!
The General Data Protection Regulation (GDPR) is an EU regulation that seeks to strengthen and unify data protection for all EU residents. Under the GDPR, the Lawful Basis for Processing is similar to the Conditions for Processing under the Data Protection Act.
The six lawful basis for processing are:-
- Consent of the individual
- Performance of a contract with the individual or to take steps to enter into a contract
- Compliance with a legal obligation
- To protect the vital interests of an individual
- In the public interest or in the exercise of official authority vested in the data controller
- For legitimate interests pursued by the data controller or a third party
In addition, there are ten lawful bases for processing special categories of personal data. The two that we will discuss are Consent and Legitimate Interest.
Consent should be freely given and updated regularly. This means offering individuals real choice and control. Genuine consent should put individuals in charge of their data, build trust between an individual and an organisation, and enhance the reputation of the organisation seeking consent.
Consent under the GDPR must be:-
- Freely given, not tied to any other service or processing
- Specific, granularity must be included, for instance by channel (SMS, phone, post, email)
- Informed, the individual must know exactly what they are consenting to
- Unambiguous, the consent must be clearly described and the action of confirming consent must be explicit
- Indicated by a clear affirmative option, known as a positive opt-in, pre-ticked boxes or inactivity are no longer sufficient
There must be a simple way for an individual to opt out of consent, it must be as easy to opt out as it was to opt in.
Consent must be verifiable, so you must be able to show when an individual gave their consent and exactly what that consent was for. It is generally accepted that the individual has more rights when the lawful basis for processing is consent.
One of the common questions related to consent is, ‘Will my current consents be sufficient for GDPR?’ You can continue to use your current consents gathered under the Data Protection Act provided that they were collected in a GDPR compliant manner, including the date and time captured, and the explicit details of what has been consented to.
In our experience, most current consents are not GDPR compliant! If your current consents are not compliant under the GDPR then you must re-establish consent once your capture mechanisms are GDPR compliant and before 25th May 2018. If this is not possible then it may be that you should establish a different lawful basis for your processing.
If an individual has opted out under the DPA then it is not permitted to ask them to opt in under the guise of establishing GDPR compliant consents.
Legitimate Interest is the most flexible lawful basis for processing. It is likely to be most appropriate where you use an individual’s data in ways that they would reasonably expect, and which have a minimum impact on privacy, or where there is a significant justification for the processing.
Legitimate Interest refers to the benefit that an organisation may derive from the processing of personal data. The benefit could be applied to organisations or communities outside of the organisation. The legitimate interest must be genuine, and not in contradiction with other lawful bases, for instance consent.
The GDPR describes six examples of legitimate interest.
- Direct Marketing. This implies that an organisation has a legitimate interest in marketing to an existing customer. However, the customer must still be given a simple mechanism to opt out of this processing.
- Relevant and Appropriate Relationship. This is where, for instance, the individual is a client of the organisation.
- Reasonable Expectations. This is where the Data Controller considers that the individual would have a reasonable expectation that the processing will take place, for instance a credit check.
- Transmissions for internal administrative purposes. This would include, for instance, employer / employee processing.
- Network and Information Security. This includes prevention of unauthorised access and preventing damage to computer systems.
- Legal Reporting. This includes reporting potential criminal activity or threats to public security to the relevant authority.
Legitimate interest has three distinct elements, often referred to as a three-part test.
- Identify. You must identify a legitimate interest.
- Necessity. You must show that the processing is necessary to achieve the legitimate interest.
- Balance. You must balance the legitimate interest against the interests, rights and freedoms of the individual.
You should document your legitimate interest and the outcome of the above elements to demonstrate that you have considered all of the elements and for your own compliance. If you choose to rely on legitimate interest as the lawful basis for your processing you are taking on additional responsibility for considering and protecting and individual’s rights and interests, as evidenced by the three-part test.
For more information, advice or assistance on the GDPR please visit the Legacy IT website here or email them at firstname.lastname@example.org
Author: Mike Madden - Legacy It Consultants Ltd.