Cookies
We use cookies to give you the best possible experience on our website.
Accept All Cookies
Find out more
Cookie Portal
Manage and find out more about the cookies used on this website.
View Cookie Settings
Read Cookie Policy

Accept All Cookies and Close
Close Without Saving
< Back
This website has 3 types of cookies:
Your preferences will not take affect until the next page loads or this page is reloaded.
Strictly Necessary Cookies
Feature Cookies
Performance Cookies
Save and Close
< Back
< Back
Cookie Policy
< Back

The GDPR – Processing Data

Chris

Chris
Written on 8th January 2018

In April 2016 the EU passed the General Data Protection Regulation (GDPR) regarding the processing of personal information. This comes into force from the 25th May 2018. This post looks closer at processing personal data.

Having a lawful basis to process personal data is nothing new and is covered under the Data Protection Act 1998. However, from 25th May this will be replaced under Article 6 of the GDPR (see our recent introduction to GDPR for more information). There remain six lawful basis in which an organisation can process personal data and at least one of these must apply:

  1. Consent – the individual has given clear consent for you to process their personal data for a specific purpose.
  2. Contract – the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
  3. Legal obligation – the processing is necessary for you to comply with the law (not including contractual obligations).
  4. Vital interests – the processing is necessary to protect someone’s life.
  5. Public task – the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
  6. Legitimate interests – the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests (this cannot apply if you are a public authority processing data to perform your official tasks).
  • No more pre-ticked boxes
  • No more making consent a precondition of a service
  • Consent should be separate from business terms and conditions
  • Separate consent for different things, one box doesn’t fit them all
  • Make it easy for an individual to withdraw consent at any time
  • Keeping a record of when and how an individual gave consent
  • You must include the name of your organisation and any third party controllers who will rely on their consent
  • You must provide details of why you want the data and what you will do with it

Legitimate interests

Legitimate interest is the most appropriate lawful basis for processing an individual’s data when it would be reasonably expected, or when there is clear justification for it. You must include details of your legitimate interests in your privacy policy. Although this is again covered under previous legislation, the GDPR now means you must document your decisions on legitimate interests in order to demonstrate GDPR compliance. It’s important that leading up to 25th May 2018 you review your privacy policy and you communicate it to affected individuals.

Examples of legitimate interests

  • Suppression – when an individual opts out or unsubscribes from marketing communications you may need to retain some personal information such as, email addresses and mobile numbers to ensure that the individual is excluded from future marketing campaigns.
  • Personalisation – a retail firm may rely on consent in order to send out marketing communications, but it may use legitimate interests in order to personalise the products or services it offers to customers.

Three-part legitimate interests test (sometimes called legitimate interests assessment or LIA)

  1. Identify the legitimate interest – are you pursuing a legitimate interest?
  2. Necessity test – is the processing necessary for that purpose?
  3. Balancing test – do the individual’s interests override the legitimate?

Want a free GDPR review of your website?

Get in touch

Join the conversation

      

Find out more about how your personal data is used in our privacy policy.


0 comments

Let's contribute!

How about you help us a little and share this page with your friends? It’s just a click, we promise!

Want to get in touch?

Then why don't you? Just click the button below and secure your place in our office chair (before you ask... yes, spinning is allowed)!

Get in touch