GDPR Principles – Lawfulness, fairness, transparency
So after the last issue where we looked at principle 6 – Security, our attention turns to the first principle. The best way to look at this one is to break it down into the 3 parts.
Otherwise referred to as the lawful basis for processing there are 6 lawful basis for processing set out in Article 6;
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
If you are processing any data without considering this first, I strongly recommend taking a look and making sure that you have a lawful basis sooner rather than later. The most common reasons given in my opinion would be consent (someone signing up to your website and checking a consent tick box for example) and legitimate interests – which as a term itself is quite loose, and from talking to various companies it seems to be the go to answer when they’re not too sure if the can process data or not, stating that it’s in their interest to sell their goods or services. Let’s take a closer look at this one and explore why this is the case.
According to the ICO, Legitimate interests are the “most flexible lawful basis for processing” but as a business, you can’t always just assume that it’s ok. The ICO suggests using a 3 part test:
- Purpose test: are you pursuing a legitimate interest?
- Necessity test: is the processing necessary for that purpose?
- Balancing test: do the individual’s interests override the legitimate interest?
In addition to this, the GDPR also states that you cannot rely on legitimate interests if there is another less intrusive way of achieving the same result.
If you’re already using legitimate interest as a processing basis, we recommend that you look and see if the processing is necessary – meaning that the processing is a proportionate way of achieving your purpose.
Should we document our lawful basis?
YES! The accountability principle needs you to demonstrate compliance against the GDPR – We’ll cover this in more depth in next months issue but in brief you need to be able to show that you have considered which lawful basis applies to each processing purpose – enabling you to justify your decisions. There is no set template for this, so you can make it as simple or detailed as you like – as long as the must haves are present: Which process, Which lawful basis, Justification.
Fairness means that you should only handle personal data in a way that people would reasonably expect – and not use it in ways that could potentially have adverse affects on them. A good way to break this one down is to look at how the personal data was obtained in the first place. If anyone has been misled about what their data was being used for, the chances are that this principle is being breached.
When transparency is talked about, what we mean is that you need to be fair, open and honest with people from the start. This can include but is not limited to: Who you are and why you use their data.
Let’s not forget, data subjects have a choice whether or not to have a relationship with you. If the individuals whose data is being processed, know why it’s being processed you are less likely to end up with a DSAR landing in your inbox – potentially saving you hours of effort to resolve.
When telling them how their information is processed (in your policies for example) you must write them in clear and plain language, making it easy for everyone to understand and keeping jargon free!