The deadline for GDPR is fast approaching and as part of your organisation’s GDPR preparations, you need to determine whether you have a lawful basis for processing data, and if so, what this basis is.
A ‘lawful basis’ is the reason that your business has to process (including holding/storing) an individual’s personal data. The GDPR offers six lawful bases for processing and you need to determine which is most appropriate to your business, ensuring the reasons for your choice are accurately documented.
The six lawful bases are:
1. Consent—The individual has given your organisation clear consent for you to process their personal data for a specific purpose.
2. Contract—The data processing is necessary for a contract that you have with the individual, or because they asked you to take specific steps before entering into a contract.
3. Legal obligation—The data processing is necessary for your organisation to comply with the law—not including contractual obligations.
4. Vital interests—The data processing is necessary for your organisation to protect an individual’s life.
5. Public task—The data processing is necessary for you to perform a task in the public’s interest or for your organisation’s official functions, and the task or function has a clear basis in law.
6. Legitimate interests—The data processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data that overrides those legitimate interests. (Note: This cannot apply if your organisation is a public authority processing data to perform your own official tasks).
Simon Gubbins, Managing Director at Robison, said: “From a risk management perspective, it’s important to note that no matter which lawful basis you choose, it is only valid if your objective is not reasonably achievable through any other means. If it’s found that other methods could potentially have been used without the need for processing personal data, you could be in violation of GDPR leading to a hefty fine.
To protect your business from potential prosecution and fines, make sure your chosen lawful basis for processing has been given thorough thought and consideration. Once you have ascertained what your lawful basis is, it’s important to document it and state your reasons why it’s applicable. To demonstrate transparency and accountability, make sure that your company’s privacy notice clearly states your lawful basis for processing and what that data will be used for.”
To help you determine which lawful basis for processing is appropriate to your business see our Lawful Basis for Processing Data Under the GDPR Checklist.
Robison & Co. provide bespoke insurance policies for businesses and individuals. If you would like an audit of your existing policies, or advice on a new policy, please call Robison today on 01730 265500. We’d be happy to discuss your current needs and ascertain your level of risk.