In principle, data protection laws are easy to understand; why they’re needed, what purpose they serve, and what they affect. However, their many nuances create room for confusion.
Does this situation apply to me, even if I’m not from the EU? Have I followed all the necessary procedures in case of a privacy breach? I’m marketing with another company, and I’m not sure what I’m allowed to disclose…
It is our mission to create a safe and helpful learning environment for anyone, from small business owners to teams in large enterprises, no matter the experience or background. In this post, we will be looking at GDPR: the EU General Data Protection Regulation.
Before we dive in, allow me to preface this by saying that all data protection law is complex and one blog post cannot cover your organization’s individual circumstances in its entirety. If you have doubts when processing personal data, seek advice from a professional, or make sure you’re signed up to a proper compliance plan.
GDPR is based on the principle that any organization that processes personal data must have a legal basis for doing so, and any processing activity that involves personal data must fit into one of the regulatory categories. To summarize, the reason for a company’s data processing must be legal, and each of these categories is referred to as a “basis of processing.”
What are the lawful bases of processing? GDPR defines six different categories of legal data processing, as outlined by the Information Commissioner’s Office:
- Consent - must be unambiguous and involve a clear affirmative action, such as an opt-in.
- Contract - to deliver a contractual service or you have been asked to do something (that requires personal data) prior to entering into the contract.
- Legal obligation - does not apply to contracts. This refers specifically to processing data to comply with the law.
- Vital interests - processing data in order to protect someone’s life. This refers only to interests that are essential for someone’s life; if you can reasonably protect someone’s vital interests via less intrusive means, this basis will not apply to you.
- Public task - this applies if you are carrying out a specific task in the public interest which is laid down by law, or you are exercising official authority laid down by the law.
- Legitimate interest* - processing for the purposes of the legitimate interests pursued by the controller or by a third party, except when these interests are overridden by the data subject’s interests or fundamental rights and freedoms, which demand that personal data be protected (for example, the data of a child).
Each of these categories is considered a valid and legitimate reason for processing data, and your business must select the most appropriate basis for each process you carry out. These legal bases are very specific, and must always be presented with a valid reasoning (supporting documents, proof of affirmative action, etc), therefore no one category is better than another.
Necessary processing and legitimate interest
All of the lawful bases require necessary processing. For most of the categories, the necessary processing is simple and self-explanatory, but the same can’t be said for legitimate interest. Let’s look at the nuance of this particular category.
What is necessary processing? ‘Necessary’ implies that the processing must be focused and appropriate in order to achieve your goal. If there is a more reasonable and less intrusive alternative to attain the same outcome, you cannot depend on legitimate interest.
For example, if you’re collecting data for marketing purposes, you can achieve the same purpose through local advertising, rather than physically mailing your marketing database.
The requirement for legitimate interest can be broken down into a three part test:
- Purpose test: are you pursuing a legitimate interest?
- Necessity test: is the processing necessary for that purpose?
- Balancing test: do the individual’s interests override the legitimate interest?
Consider the balancing test this way; if the individual whose data you are processing would not reasonably expect you to use data in that way, or it would cause them unwarranted harm, their interests are likely to override yours. This doesn’t mean that your interests must always align with the individual’s interests, so long as you can provide a clear justification for the impact on the individual.
While legitimate interest is the most broad and flexible of the six categories, you can’t assume that it will automatically be appropriate for most of your processing. Should you choose to rely on legitimate interest, the responsibility of ensuring people’s rights and interests are fully considered and protected falls entirely on you.
Choosing your basis of processing
Lawful basis will always depend on the purpose and context of processing, therefore the first thing to consider is your circumstances. Why do you have this data, what are you planning to use it for, does the data subject know you are going to process it, etc. No single basis is better than the other. However, some are easier to determine than others. Contractual, legal, public tasks, and vital interests are self explanatory in nature, and you’ll likely know you’ll be using one of these when you see them.
Recording your basis of processing & proper practice
There is no specific way to record your reasoning for choosing a particular basis of processing, so long as your record can demonstrate that your basis of choice applies. However, there are certain steps you should take to avoid issues in the future.
- You must always track which basis you are depending on for each processing activity and document your reasoning behind choosing that basis in order to meet the recording requirement.
- Your processing record and the privacy notice you provide the data subject must always be coordinated and stored together.
- If you are using your own server, cloud, or office equipment, make sure your records are regularly backed up and stored on a secondary drive to avoid corruption or loss of the original record.
Remember, as the collector and processor, it is your responsibility to prove that your lawful basis of choice is most appropriate to the situation. Once you have chosen a basis and recorded your reasoning, the next step is to inform the data subject of your lawful basis for handling their data. You are required to be transparent about the way you process people’s data.
Failure to identify a proper lawful basis for processing your subject’s data will result in you breaching the GDPR. Make sure to process your data through a certified compliance provider, or provide up-to-date compliant privacy notes.
Emailmeform & Data Protection
If all of this still seems confusing, go the safe route and process data through a compliance provider like Emailmeform. We use only industry-standard encryption for all data processes done through the form manager, with a 99.99% uptime rate.
For more information about how we collect, process, and store data for you, check out our compliance center. It will lead you to all relevant information and more regarding our systems, GDPR, HIPAA, and PCI compliance plans.