Latest News

Five things you might not know about buying at auction

18 July 2018

Auctions are a great opportunity to get your hands on a bargain. However, there are several things to consider before, during and after when buying at auction. We have pulled together a list of the top things you might not know about buying at auction, to help make the experience as stress-free as possible. Read More...

Scope of Ivory Bill extended

05 July 2018

On 4 July 2018 the UK Government announced that it will consult on extending the scope of the Ivory Bill to protect hippos, walruses and narwhals from the trade in ivory. Read More...

Government announce plans for ivory ban

12 April 2018

On 3 April the Government confirmed that the UK will introduce a ban on ivory sales, as it published its response to a consultation on the matter. They believe tighter controls on trading ivory will go some way to curtailing the demise of the elephants. Read More...

 

GDPR - it's more than just consent

Wednesday 18 April 2018

When it comes to General Data Protection Regulation (GDPR) it's easy to get hung up on the idea of consent - but there are five other legal bases which organisations can use to process personal data.

Whilst the concept of GDPR may seem foreign, having a lawful base for processing data is not new, and the regulations have changed very little. What the new Regulation does do however, is place more emphasis on being accountable and transparent about the way you keep and use customer data.

When considering the legal basis for processing customer data, it is key that you use the most appropriate basis to rely upon. In practice this may mean relying on either your contractual or legal obligations in most situations, however there will be circumstances where this is not the most appropriate legal basis.

Confusing right? That's why we've broken down the other five areas for processing, and explained what each legal basis means.

CONTRACT

Not much has changed by way of contracts and data protection, as the lawful basis for processing is almost identical to the old condition for processing in paragraph 2 of Schedule 2 of the 1998 Data Protection Act.

When it comes to contracts, the law is simple - if you have a contract with an individual and you need to process their data to satisfy your contractual obligations, or if you haven’t yet got a contract with the individual, but they request a service which requires the processing of their data, a legal basis exists.

For example: A customer asks for a valuation of their home. In order to prepare a quotation, you need to document and process personal information (such as their name, postal and email address etc). In this example where the contract is not a formal document, or even written down, a legal basis would exist as there is an agreement which meets the requirements of contract law.

It's important to note that a lawful basis does not apply if you need to process personal data but, the contract is with someone else, or if you take pre-contractual steps on your own initiative or at the request of a third party.

LEGAL OBLIGATION

The lawful basis for processing necessary for compliance with common law or statutory obligations is a near duplicate of the old condition for processing in paragraph 3 of Schedule 2 of the 1998 Act.

You can rely on legal obligation as a lawful basis if you need to process data to comply with UK or EU law, although it is important to note that this does not apply to contractual obligations.

It is necessary to document your decision to rely on this basis, to ensure you can justify your reasoning. You must either identify the specific legal provision or an appropriate source of advice or guidance clearly setting out your obligation.

For example: Processing your clients data in order to confirm their identity to comply with Money Laundering Regulations. 

VITAL INTEREST

Whilst it is unlikely this condition will apply when processing personal data during your normal business transactions, it is important to be familiar with all basis for GDPR processing.

Vital interest is specific to life and death situations and is likely to only be relevant in instances of emergency medical care. GDPR has made provision however to be able to process any other person’s data, not just those of the data subject themselves. When using this condition, the Controller will also need to identify a processing condition under Article 9 as you will be processing Special Category data. 

PUBLIC TASK

The Public Task legal basis for processing mainly exists for public authorities however, private organisations can use this condition if they are processing personal data for public interest purposes or exercising official authority powers. To use Public Task as your legal basis for processing you must demonstrate the function and its basis in common law/statute. Public Task is commonly used in; The Administration of Justice, Parliamentary Function or Governmental Function. When considering Public Task as an appropriate legal basis, the emphasis is on the function your business is carrying out and not whether you are a private/public authority per se. It is for this reason why most private organisations will deem Legitimate Interest more appropriate as a legal basis for processing than Public Task.

LEGITIMATE INTEREST

Legitimate interest is the most flexible lawful basis for processing and is essentially the same as the equivalent Schedule 2 condition in the 1998 Act - but don't assume it will always be the most appropriate.

To use Legitimate Interest as your legal basis for processing, an agent must have some clear and specific benefit or outcome in mind prior to data processing. The legitimate interests can be your own interests or the interests of third parties, and can include commercial interests, individual interests or broader societal benefits.

A Legitimate Interests Assessment (LIA) must be completed and recorded in order to rely upon this basis, comprising of three tests:

  1. Identify the Legitimate Interest
    • Who benefits from processing the data?
    • What would the impact be if you couldn’t go ahead with the processing?
    • Is there any element of the processing which could be deemed unethical?

  2. Apply the Necessity Test
    • Does processing of this data help further the legitimate interest?
    • Is it reasonable?

  3. Finally, the Balancing Test
    • Is the data particularly sensitive?
    • Would your clients expect you to use their data in his way?
    • What is the possible impact on your client?

You must remember to balance your interests against the individual’s interests, and where an individual would not reasonably expect you to use their data in a particular way, or where it causes them unwarranted harm, their interests are likely to override yours. However, your interests do not always have to align with the individual’s and in the instance of a conflict, your interests can still prevail if there is a clear justification for the impact on the individual.

HELP IS AT HAND

We know it seems like a big business change, and we want to make sure that all members are prepared for when the regulation comes into force. That's why we have put together a comprehensive GDPR toolkit full of handy advice to help you comply. 

For more information take a look at the Information Commissioner's (ICO) website. Their interactive guidance tool gives tailored guidance on which lawful basis is likely to be most appropriate for your processing activities. 

EUGDPR.org have also complied a list of the key regulation changes and how they differ from the former directive.