GDPR: Lawful Basis

This blog continues our series sharing our GDPR preparations.
With just under a month to go until GDPR Day we’ve done our data mapping to understand what information we hold and where it’s come from, and have updated our privacy notices.
In order to lawfully process personal data the GDPR says you must have a lawful basis for doing so.  You have to decide which of the following to use for each type of data you process and document it in your GDPR policies and privacy notices:
  • Consent
  • Contract
  • Legal obligation
  • Vital interests
  • Public task
  • Legitimate interests
There are also provisions for special category and criminal offense data and you can read more about these on the ICO website.
At VONNE our data mapping has helped us to identify where our data has come from and therefore which lawful basis we should use – and crucially, where we don’t have one.
For example, VONNE holds personal information on our member organisations.  Part of that is information about the organisation itself but we also hold email addresses for employees and volunteers.
When an organisation signs up for membership of VONNE they volunteer this information and we enter into a contractual agreement; they are entitled to benefits as part of their membership agreement.  So for VONNE’s members’ information we are processing personal data in order to fulfil our contractual obligation.
For our e-bulletin mailing lists we realised that under GDPR we wouldn’t be able to identify a lawful basis for a portion of the lists.  So for this reason we’ve gone back out to those people and asked them to re-subscribe to continue to receive VONNE e-bulletins.
In all the talk around GDPR it’s very important to remember that e-comms (email, telephone, text) is actually covered by the Personal Electronic Communications Regulations (PECR) not GDPR so it’s worth understanding what this is.  The ICO have a guide to PECR and this blog post from Communicator is useful in explaining some of the issues.
Legitimate interest is the most flexible basis for processing data but it’s not an easy option.  The ICO says “If you choose to rely on legitimate interests, you are taking on extra responsibility for considering and protecting people’s rights and interests.”
It basically ensures that an organisation which processes data in order to achieve its aims balances its own interests with those of the individual.  When using legitimate interest you need to ask yourself three questions:
Is our interest legitimate?
Is the processing necessary?
Will the processing negatively impact the individual’s interests, rights and freedoms?
To demonstrate that you’ve considered this properly – and in order to meet GDPR compliance– you’ll need to document this process and the ICO have a template which you can download and amend to fit your purpose. 
If you are processing personal data in order to comply with the law you can use legal obligation.  All VONNE’s employee details are processed in accordance with employment law and this legal obligation is our lawful basis for doing so.
Similarly, we hold information on the VONNE Board of Trustees and we have to do this to adhere to the laws governing charities so our lawful basis for doing so is legal obligation.
We haven’t identified vital interests and public task as bases we would use but it’s worth mentioning that vital task may be of relevant for VCSE sector organisations who routinely deal with safeguarding issues.  In some circumstances you may need to process data to protect life.  
Public task is to be used as a lawful basis if the processing of data is necessary “for the performance of a tasks carried out in the public interest”.  This is likely to be most relevant to public authorities. 
When you’ve decided which lawful basis you intend to use to process each category of personal data you hold remember to document it in your GDPR policy and include it in your privacy notices.