How to choose a lawful basis for processing personal data

If you think that to process personal data all you need is a tick box, think again. If you think that all you need is consent, take another guess. And if you think that you can get away with only one lawful basis, then perhaps you should read this article.

By Nigel Jones

Co Founder of The Privacy Compliance Hub

In this ‘Practical Privacy Series’ our aim is to give the benefit of our experience to those of you who may be building a privacy compliance programme for the first time.  You may only have a limited understanding of data protection and privacy.  Perhaps this is not your main job.  Or perhaps you are relatively new to creating and maintaining data protection compliance programmes.  It may be that you know the law, but you’ve never put it into practise before.

We appreciate that in these circumstances certain jobs may appear daunting.  Or you may want the confidence to know that you are on the right track, or that there are certain things that everyone finds tricky.  Hopefully, we can help and give you the confidence to get this right.

The big picture

You need to be transparent and accountable for the personal data that you process.  The idea behind choosing a lawful basis is to make you think about what personal data you have, what you do with it and what rights you have to do it.  If you don’t have a right, you can’t do it.  And if you do have a right, you have to exercise it in the right way.  Processing has to be fair and legal.  Simples.

Start with an inventory

You start thinking about personal data by coming up with a list of the people whose personal data you process eg. staff, suppliers, regular customers, visitors to your website, people responding to advertisements etc.  You write this down.  You then get people throughout your organisation to come up with their own lists and write them down.  At The Privacy Compliance Hub we call these people ‘Privacy Champions’.

Your Privacy Champions discuss the lists and come up with an agreed list.  You then add to this list the types of personal data each category of person is trusting you with.  You write this down and agree it.

You use this list to start mapping your data flows.  These maps show in a visual format the way personal data is collected, stored, used and shared by your organisation.  You then need to use these data flows to create an inventory, which is sometimes called an ‘Article 30 Record’.  This records what your organisation is doing with personal data and demonstrates that you are thinking logically and holistically about your processing of personal data.

You are now ready to decide whether you have a lawful basis, but first you need to decide whether you really need one.

Work out whether you are a controller or processor

The need for a lawful basis applies only to controllers of data.  Controllers have primary responsibility for the personal data they process.  If those controllers use processors to process that personal data on their behalf, then those processors are just supposed to do what they are told by the controller.  Processors don’t need a lawful basis.  If you would like to explore further whether you are a controller or a processor, we have written a simple article for you.

If you decide that you are a controller in respect of a particular category of personal data then you have to establish whether you have a lawful basis to process that personal data and, if so, which one.  

How to choose the right lawful basis

First, think about your purpose in processing each category of personal data eg. to provide your customers with the service they asked for; to send people newsletters; to pay staff wages on time.  You then need to ask whether you need that personal data to achieve that purpose (you are only allowed to process personal data if that processing is necessary).  If you do need it, then you need to make sure that you have a lawful basis.

You have six to choose from:

  • contractual necessity – necessary to perform a contract with the individual;
  • legal obligation – necessary to comply with a law that the controller is subject to;
  • vital interests – necessary to protect or save a person’s life;
  • public task – necessary for carrying out a task in the public interest;
  • consent – we talk more about this in our article “The age of consent”;
  • legitimate interests – needs to be balanced with the rights and freedoms of individuals..

Each of these has its own rules.  The Privacy Compliance Hub provides our clients (or ‘Hubbers’ as we call them) more practical detail on each of the lawful bases within their own Hubs.  This is the one place where our Hubbers are able to establish, maintain and demonstrate their privacy compliance.  If you are in any doubt as to whether your processing fits into one of these categories then we suggest that you either get yourself your own Hub (you can see it in action in this video), or read up on the ICO website.

We suggest that you ask yourselves whether one of the first four lawful bases applies to your processing operation.  If not, then decide between ‘consent’ and ‘legitimate interests’.  Read our article on consent for more information on the advantages and disadvantages of choosing consent.  Remember that consent can always be withdrawn.  Given that you can only have more than one lawful basis in situations where you are not relying on consent, if the consent is withdrawn, you will have to cease that processing operation.

Also remember that in deciding whether you can rely on legitimate interests, you need to complete a legitimate interest assessment and keep a record of it.  You should not just choose legitimate interests because none of the other lawful bases are available to you.

Tell everyone what you have chosen

You need to tell people the purpose for collecting their personal data and the lawful basis you are relying upon to process it.  You need to tell people at the point of collection and before you start processing.  If you need more help writing a good privacy notice read our article ‘How to write a privacy notice’.

You can’t easily change your mind

Given that you need to tell people your lawful basis before you start processing, changing your mind is difficult because you would need to go back to people and tell them that you had changed your mind and make sure that they are happy with that.  Probably best if you get it right in the first place!

Remember that organisations change

Whilst it is difficult to change your mind, organisations do change.  For example, you may develop a new product or process which means you have a new purpose for processing.  But be careful – ‘purpose limitation’ is a principle of the GDPR.

A new purpose requires that you tell individuals what that new purpose is and (if the new purpose is incompatible with the original purpose) what the lawful basis is for that purpose.  Irrespective of compatibility, if you are relying on consent as your lawful basis, you need to get fresh, specific informed consent.

You need to record all this in your data flows; in your Article 30 Record; and in your privacy notice.  This is part of what we call a culture of continuous privacy compliance.

Credit Kudos are a different kind of credit agency.  They take financial data obtained through open banking to make better, fairer credit decisions.  Here, Kelly explains how The Privacy Compliance Hub has helped her organisation.

Watch video

A culture of continuous privacy compliance

At The Privacy Compliance Hub, we help organisations establish and maintain a culture of continuous privacy compliance by making everyone in an organisation understand privacy, care about privacy and do their bit to protect personal information.  Our platform contains a structure, a programme, a route map, records, information, reporting and training to enable all organisations to build that culture and comply with privacy rules including the GDPR and the CCPA.

More to watch and read