Latest News

Workplace wellbeing – is it working?

18 December 2018

The latest research from the British Safety Council reveals how employee wellbeing is being compromised by a lack of understanding of how to implement effective programmes. Read More...

What did the agricultural market hold for 2018?

12 December 2018

Sales of agricultural machinery and plant equipment for 2018 has been strong, with on-site auctions at farms proving popular with the punters, and prices for individual pieces rocketing. We catch up with the good folks at Cheffins for an analysis of the year. Read More...

Will the Making Tax Digital deadline change for small businesses?

22 November 2018

In a report out this week, HMRC's Making Tax Digital programme has been slated, with criticism levied at the Government that the new regime, whilst well intentioned, simply hasn't been fully considered and that the timescales for implementation were too optimistic. Read More...

 

GDPR - it's more than just consent

Wednesday 18 April 2018

When it comes to General Data Protection Regulation (GDPR) it's easy to get hung up on the idea of consent - but there are five other legal bases which organisations can use to process personal data.

Whilst the concept of GDPR may seem foreign, having a lawful base for processing data is not new, and the regulations have changed very little. What the new Regulation does do however, is place more emphasis on being accountable and transparent about the way you keep and use customer data.

When considering the legal basis for processing customer data, it is key that you use the most appropriate basis to rely upon. In practice this may mean relying on either your contractual or legal obligations in most situations, however there will be circumstances where this is not the most appropriate legal basis.

Confusing right? That's why we've broken down the other five areas for processing, and explained what each legal basis means.

CONTRACT

Not much has changed by way of contracts and data protection, as the lawful basis for processing is almost identical to the old condition for processing in paragraph 2 of Schedule 2 of the 1998 Data Protection Act.

When it comes to contracts, the law is simple - if you have a contract with an individual and you need to process their data to satisfy your contractual obligations, or if you haven’t yet got a contract with the individual, but they request a service which requires the processing of their data, a legal basis exists.

For example: A customer asks for a valuation of their home. In order to prepare a quotation, you need to document and process personal information (such as their name, postal and email address etc). In this example where the contract is not a formal document, or even written down, a legal basis would exist as there is an agreement which meets the requirements of contract law.

It's important to note that a lawful basis does not apply if you need to process personal data but, the contract is with someone else, or if you take pre-contractual steps on your own initiative or at the request of a third party.

LEGAL OBLIGATION

The lawful basis for processing necessary for compliance with common law or statutory obligations is a near duplicate of the old condition for processing in paragraph 3 of Schedule 2 of the 1998 Act.

You can rely on legal obligation as a lawful basis if you need to process data to comply with UK or EU law, although it is important to note that this does not apply to contractual obligations.

It is necessary to document your decision to rely on this basis, to ensure you can justify your reasoning. You must either identify the specific legal provision or an appropriate source of advice or guidance clearly setting out your obligation.

For example: Processing your clients data in order to confirm their identity to comply with Money Laundering Regulations. 

VITAL INTEREST

Whilst it is unlikely this condition will apply when processing personal data during your normal business transactions, it is important to be familiar with all basis for GDPR processing.

Vital interest is specific to life and death situations and is likely to only be relevant in instances of emergency medical care. GDPR has made provision however to be able to process any other person’s data, not just those of the data subject themselves. When using this condition, the Controller will also need to identify a processing condition under Article 9 as you will be processing Special Category data. 

PUBLIC TASK

The Public Task legal basis for processing mainly exists for public authorities however, private organisations can use this condition if they are processing personal data for public interest purposes or exercising official authority powers. To use Public Task as your legal basis for processing you must demonstrate the function and its basis in common law/statute. Public Task is commonly used in; The Administration of Justice, Parliamentary Function or Governmental Function. When considering Public Task as an appropriate legal basis, the emphasis is on the function your business is carrying out and not whether you are a private/public authority per se. It is for this reason why most private organisations will deem Legitimate Interest more appropriate as a legal basis for processing than Public Task.

LEGITIMATE INTEREST

Legitimate interest is the most flexible lawful basis for processing and is essentially the same as the equivalent Schedule 2 condition in the 1998 Act - but don't assume it will always be the most appropriate.

To use Legitimate Interest as your legal basis for processing, an agent must have some clear and specific benefit or outcome in mind prior to data processing. The legitimate interests can be your own interests or the interests of third parties, and can include commercial interests, individual interests or broader societal benefits.

A Legitimate Interests Assessment (LIA) must be completed and recorded in order to rely upon this basis, comprising of three tests:

  1. Identify the Legitimate Interest
    • Who benefits from processing the data?
    • What would the impact be if you couldn’t go ahead with the processing?
    • Is there any element of the processing which could be deemed unethical?

  2. Apply the Necessity Test
    • Does processing of this data help further the legitimate interest?
    • Is it reasonable?

  3. Finally, the Balancing Test
    • Is the data particularly sensitive?
    • Would your clients expect you to use their data in his way?
    • What is the possible impact on your client?

You must remember to balance your interests against the individual’s interests, and where an individual would not reasonably expect you to use their data in a particular way, or where it causes them unwarranted harm, their interests are likely to override yours. However, your interests do not always have to align with the individual’s and in the instance of a conflict, your interests can still prevail if there is a clear justification for the impact on the individual.

HELP IS AT HAND

We know it seems like a big business change, and we want to make sure that all members are prepared for when the regulation comes into force. That's why we have put together a comprehensive GDPR toolkit full of handy advice to help you comply. 

For more information take a look at the Information Commissioner's (ICO) website. Their interactive guidance tool gives tailored guidance on which lawful basis is likely to be most appropriate for your processing activities. 

EUGDPR.org have also complied a list of the key regulation changes and how they differ from the former directive.