Understanding Your Lawful Basis

Understanding Your Lawful Basis

What is a Lawful Basis and why do we need one?

Whilst the use of personal data expands, Data Controllers are still required to, in accordance with the first Data Protection principle of Article 5 of the General Data Protection Regulation (GDPR) to determine their ‘lawful basis’ in order to comply with the requirement that data must be processed fairly and lawfully.

Article 6 of the GDPR provides the Data Controller with a choice of six lawful bases to use, these are:

  1. Consent;
  2. Performance of a Contract;
  3. Legal Obligation;
  4. Vital Interests;
  5. Public Task;
  6. Legitimate Interests.

Whilst there are 6 you can use, there is no basis that is valued as better or more critical than another.

The main consideration to make when determining the most appropriate lawful basis to apply to the processing of personal data is to ensure that the Data Controller gets it right at the first time of determining. This is important because, once chosen, a Data Controller cannot switch to a different basis unless they have a good and valid reason. If ‘consent’ has been chosen as the lawful basis for processing the personal data, the change of lawful basis is even more difficult to swap from.

The lawful basis for processing personal data must be presented and communicated to the Data Subject at the time of data collection, or within 30 days if the data was received via a 3rd party. This information can be provided to the Data Subject in a number of ways, in the form of a privacy notice.

Special Category Personal Data, including:

* Data concerning a person’s sex life or sexual orientation

and Criminal Conviction Data requires a further condition for processing from Article 9 or 10 of the GDPR.

We will be venturing into each lawful basis for processing in our future articles. In the meantime, if you need further support with the processing of personal data and the lawful basis for processing personal data, contact us on 0800 999 5550 or email me at info@bruceandbutler.com.

 

Tom Ward – Senior Data Protection Advisor.

Posted on 21st Apr 2020 07:49:48 by Matt

Tags: Data Protection.

Do you need to appoint a Data Protection Officer?

Do you need to appoint a Data Protection Officer?

In the modern digital age, the use of personal data is expanding in terms of volume and value. UK privacy law ensures the commercial use of personal data is fair when balanced with the rights of UK data subjects. Monitoring compliance with applicable privacy laws is a key responsibility of a Data Protection Officer (DPO) but does your organisation actually need a designated DPO? Let’s take a look at the facts…

Article 37 of the General Data Protection Regulation (GDPR) states that the controller of personal data must appoint a DPO on a mandatory basis if it meets one of the following criteria: 

  1. The processing is carried out by a public authority or a public body (except for courts acting in their judicial capacity). Examples of this include: the governing body of a higher learning institution, an NHS trust or a county council.
  2. The core activities of the controller or processor consist of processing operations which require regular and systematic monitoring of data subjects on a large scale. An example of regular and systematic monitoring could include operating business CCTV or tracking online behaviour.
  3. The core activities of the controller or processor consist of processing on a large scale of special category personal data (Article 9) and personal data relating to criminal convictions and offenses (Aricle 10). This type of processing could, for example, be undertaken by health organisations, criminal record checking organisations or trade unions.


How do you know if the processing is large scale?

Although there is no definition given for ‘large scale processing’ in the GDPR or the Data Protection Act 2018, to decide whether processing is on a “large scale”, you should consider:

 

Are you unsure whether you meet any of the above criteria?

Contact us on 0800 999 5550 or email me at info@bruceandbutler.com for a confidential discussion about your commercial processing activities.

Harry Ware - Senior Data Protection Adviser

Posted on 14th Apr 2020 09:53:50 by Matt

Tags: Data Protection, DPO.

Introducing - The Diary of a DPO Podcast

Introducing - The Diary of a DPO Podcast

An introduction to our brand new and first ever podcast - The Diary of a DPO.

Introducing The Diary of a DPO podcast with Matt Bruce, CEO of Bruce & Butler - Data Protection and Information Security Specialists based in the UK.

Matt will give you an insight into the role of a Data Protection Officer whilst exploring new and emerging technologies and how they process personal data.

 

Believe me, the role of a Data Protection Officer (DPO) isn’t half as boring as it sounds.

It’s an increasingly important role and one that’s ever changing with the advancing pace of technological change, particularly with the emergence of Cloud, Big Data, Analytics and Artificial Intelligence (AI).

Ensuring the compliant, secure and ethical processing of personal data is now a top corporate risk with the consequences of getting it wrong terminal of organisations.

 

Check out our podcast on the following platforms:

Posted on 14th Apr 2020 09:39:15 by Matt

Tags: Data Protection, DPO.

Make Contact

Start the conversation

Your Name
Your Organisation
Your Email
Your Telephone
Service
Your Message
We will only use this information to make contact with you to discuss your enquiry. We will not add you to any marketing list and will not share your data with anyone else for their own marketing purposes. If you want to know more about how we look after your information, please visit our Privacy Page.