Whilst it has always been a requirement under data protection to have a legal basis for processing personal data, under GDPR your business is now required to be accountable for and transparent about your legal basis for processing personal data.
It is important to be aware that there is no one size fits all approach when applying a legal basis to the personal data you process. It very much depends on what you do with the data and understanding what you do with it and why you process it, so that you can select the most appropriate legal basis for your specific data processing requirements.
The six legal bases for processing are set out in Article 6 of the GDPR and your business must apply at least one or more of these when processing personal data:
- Consent: this is where the individual has given clear consent for you to process their personal data for a specific purpose – see last week’s article on consent
- Contract: this is where processing is necessary for a contract you have with the individual or supplier. For example you could use this legal basis for a contract of employment.
- Legal obligation: this is where the processing is necessary for you to comply with the law. This does not include contractual obligations. For example keeping employee records by law could come under this legal basis.
- Vital interests: this relates to the processing that is necessary to protect someone’s life.
- Public task: this could be used in relation to processing that is necessary to perform a task in the public interest or in an official functions, where the task or function has a clear basis in law.
- Legitimate interests: this is where the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
When choosing your legal basis, be sure that you selected the right one as you cannot change it unless you have a very strong reason. One other new requirement is that you will need to include the legal basis for processing personal data within your privacy notices.
If you are processing special category data (sensitive data) you will need to identify the lawful basis for general processing and an additional condition for processing this type of data. It is important to document and demonstrate why you have selected a specific legal basis for each data processing activity that relates to personal and / or sensitive data.
Next week we will look deeper into privacy notices and what should be included in them. In the meantime you can avail of the GDPR toolkit to conduct your GDPR audit from the SFA website which you can download here.
If you would like more information on GDPR or to discuss your requirements further please contact Helen at SFA on 01 605 1668 or at firstname.lastname@example.org or visit our HR and Employment Law advice section on www.sfa.ie/advice