What is a lawful basis for processing under the GDPR? Do you always need individuals’ consent to process their data? What exactly are ‘legitimate interests’?
Like the Data Protection Act 1998 (DPA 1998) that it superseded, the General Data Protection Regulation (GDPR) sets out six lawful bases for processing personal data.
Except for special categories of personal data (‘sensitive data’), whose processing is prohibited except under certain circumstances, personal data can only be processed under the GDPR if the data subject gives their explicit consent or if it’s necessary:
- To meet contractual obligations entered into by the data subject.
- To comply with the data controller’s legal obligations.
- To protect the data subject’s vital interests.
- For tasks carried out in the public interest or exercise of authority vested in the data controller.
- For the purposes of legitimate interests pursued by the data controller.
Many people – and organisations – focus on consent, but it’s arguably the weakest lawful basis for processing because it can be withdrawn at any time.
It’s therefore always worth determining whether another lawful basis for processing can apply.
For example, when you process staff data for payroll purposes, contractual obligations will apply, as staff will have signed a contract of employment. There is no need to find another lawful basis – including consent.
Lawful processing under the GDPR
The GDPR is more specific than the DPA 1998 when it comes to consent, especially in terms of how it should be given. Article 7 of the Regulation sets out the conditions for consent, but more detail is provided in Recital 32, which states that:
“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. […] Silence, pre-ticked boxes or inactivity should not therefore constitute consent.”
If you relied on consent under the DPA 1998, you can’t assume that it’s still lawful under the GDPR. You need to ensure it meets the new law’s requirements. If it doesn’t, you’ll need to change your consent mechanisms and get fresh consent – or find an alternative lawful basis for processing.
(This is why you received so many emails the week before the GDPR came into effect. Many organisations that were unsure about whether they had lawful consent erred on the side of caution and tried to get it afresh.)
It’s essential that you keep proper records of consent, as stipulated by Article 7(1):
Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
This is particularly important because data subjects have the right to withdraw their consent at any time. You’ll then be obliged to erase their data “without undue delay” if they ask you to, unless you can show a lawful reason to retain it – meaning that “processing is necessary”, as stated in Article 17(3).
This isn’t the only occasion you might be obliged to erase personal data, so it’s essential to ensure you have appropriate processes in place.
Note that it must be as easy for data subjects to withdraw their consent as it was to provide it in the first place.
This lawful basis is almost identical to the condition set out in the DPA 1998. You can rely on it if:
- You have a contract with someone and need to process their personal data to comply with your obligations as part of that contract.
- You don’t yet have a contract with someone, but they’ve asked you to do something as an initial step (for example, provide a quote) and you need to process their personal data to do so.
In this context, a contract doesn’t have to be a formal legal document, as long as it meets the requirements of contract law. An oral statement also counts.
Any processing you carry out must be necessary for the purposes of fulfilling your contractual obligations. This lawful basis will not apply if there are other ways of meeting those obligations.
If it’s necessary to process sensitive data as part of a contract, you also need to identify a separate condition for processing that data, as set out in paragraph 2 of Article 9 of the GDPR, and Sections 10 and 11, and Schedule 1 of the DPA 2018.
This lawful basis is almost identical to the condition set out in the DPA 1998.
You can rely on it if you need to process personal data to comply with a common law or statutory obligation. (It doesn’t apply to contractual obligations.) It should be clear from the law in question whether processing is necessary for compliance.
Note that you must be able to identify the specific legal provision that you’re complying with, or show the guidance or advice that sets out your legal obligation.
If you’re confident that your approach complied with the DPA 1998, you are very likely to be compliant with the GDPR in this regard.
As ever, it is essential to maintain appropriate records.
This basis applies if it’s necessary to process personal data to protect someone’s life. Note that, unlike the DPA 1998, this applies to any life – not just the data subject’s life.
Recital 46 of the GDPR clarifies that:
Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis.
It is unlikely to apply except in cases of emergency medical treatment.
If your organisation needs to process personal data “for the performance of a task carried out in the public interest” or “in the exercise of official authority” (Recital 50), you can do so under this lawful basis.
You don’t need a specific statutory power to process personal data, but, unlike the DPA 1998, you must have a clear basis in law, which you must document.
The DPA 2018 clarifies that this includes processing necessary for:
- The administration of justice,
- Exercising a function of either House of Parliament,
- Exercising a function conferred on a person by an enactment or rule of law,
- Exercising a function of the Crown, a Minister of the Crown or a government department, or
- An activity that supports or promotes democratic engagement.
Data subjects’ rights to erasure and data portability do not apply if you are processing on this basis. However, they do have a right to object.
The most flexible of the six lawful bases for processing, legitimate interests could theoretically apply to any type of processing carried out for any reasonable purpose.
This lawful basis is worth quoting in full; Article 6(1f) states that processing is lawful if, and to the extent that:
“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”.
On the one hand, this gives you a lot of room for interpretation. On the other, the definition is unhelpfully vague, and the burden is on you to determine whether or not your interests in processing the personal data really are legitimate.
- Purpose test – are you pursuing a legitimate interest?
- Why do you want to process the data? What are you trying to achieve?
- Who benefits from the processing? In what way?
- Are there any wider public benefits to the processing?
- How important are those benefits?
- What would the impact be if you couldn’t go ahead?
- Would your use of the data be unethical or unlawful in any way?
- Necessity test – is the processing necessary for that purpose?
- Does this processing actually help to further that interest?
- Is it a reasonable way to go about it?
- Is there another less intrusive way to achieve the same result?
- Balancing test – do the data subject’s interests override the legitimate interest?
- What is the nature of your relationship with the individual?
- Is any of the data particularly sensitive or private?
- Would people expect you to use their data in this way?
- Are you happy to explain it to them?
- Are some people likely to object or find it intrusive?
- What is the possible impact on the individual?
- How big an impact might it have on them?
- Are you processing children’s data?
- Are any of the individuals vulnerable in any other way?
- Can you adopt any safeguards to minimise the impact?
- Can you offer an opt-out?
Numerous interests can be legitimate, including your interests, third parties’ interests and commercial interests. These interests must be balanced against those of the data subject(s).
The GDPR mentions processing client or employee data, marketing, fraud prevention, intra-group transfers or IT security as potential legitimate interests, but this list is not exhaustive.
The important thing to consider is that legitimate interests are most likely to be appropriate if you are using personal data in ways that the data subjects would deem reasonable and where the processing has a minimal impact on their privacy.
And, as ever with the GDPR, it’s your record-keeping that will prove essential. If you can demonstrate that you’ve carried out a full legitimate interests assessment (LIA), the ICO should be satisfied.
Note, however, that if you do use legitimate interests as your basis for processing personal information as part of your marketing activities, the data subjects’ right to object is absolute: you must stop processing if anyone objects. You should also check your compliance with the PECR (Privacy and Electronic Communications Regulations 2003) and the forthcoming ePR (ePrivacy Regulation).
If you rely on legitimate interests, the right to data portability does not apply.
Data Protection Impact Assessment Workshop
A data protection impact assessment (DPIA) will help you determine and mitigate the risks your organisation faces when processing personal data – whichever lawful basis you rely on.
Our one-day DPIA workshop has been designed to provide attendees with the practical knowledge needed to perform a DPIA in compliance with the DPA 2018 and the GDPR.