[GDPR] Training – Lawful Data Processing

A Guide to Data Protection and the GDPR

This article forms part of a collection to introduce you to what Data Protection and ‘GDPR’ are. It’s based upon staff training that we’ve provided for companies to make sure they had a basic working knowledge and were able to take the steps to protect individuals personal information in their care.

This guide takes you through the overview and basics of Lawful Data Processing. If you have any questions or require consultation or guidance please don’t hesitate to contact me to discuss further.

Lawful Processing

For Organisations (Including Businesses and Governments) to process data under GDPR they need to have a lawful/legal basis for doing so and have documented it ahead of the processing.  It’s important to remember that there is separate lawful/legal basis under GDPR for more special categories of more sensitive data (Such as  Racial or ethnic origin, political or religious opinions, or information regarding an individuals health (including biometric data such as blood tests, fingerprints and DNA), sex life or sexual orientation.).

First a quick reminder of some keywords.

  • Processing – This is the action of any operation or set of operations that take place to any personal data (individually or as a collective). This processing can be done manually or by a computer and covers everything from collection to alteration and storage.
  • Data Subject – Is the end customer/client or user interacting with a company/organisation/government.
  • Data Controller – Is who the data subject is interacting with and who is directing what should happen with the data, they have the overall responsibility for ensuring compliance with the GDPR.
  • Data Processor – Is who processes the action for which the data has been collected (this includes storing it) on behalf of the Data Controller. A company can both be a Data Controller and a Data Processor. Data Processors are also liable for any breach of the GDPR while the data is within their care but it is the responsibility of the controller to make sure that the processor is meeting its obligations.

What are the options for lawful grounds for processing personal data? 

Each of the following has its own restrictions and scenario in which its best fit, each basis influences individuals rights slightly differently and you need to make sure that your basis for processing is the least invasive and more transparent to your data subjects.

Consent

Consent in my experience seems to be what most talk about in GDPR for their reason for processing data (despite the fact they are often the much better and easier basis for them to have used).

Consent is where you lay out the facts of how and what you will use a data subjects data for, how you’ll process it – and if they agree – You can do so. As long as you clearly laid out what you were going to do then generally you can do anything (within the remits of GDPR) with that data.
Consent must be gained before you process (which remember includes collecting) any personal information from a data subject, It must be freely given with a specific, informed and clear indication of the individuals wishes and must be confirmed through action. This means that for a registration field for a website sign-up a tickbox used to gain consent cannot be pre-ticked or the wording requiring the data subject to tick a box or state if they do not agree to the conditions to do so would invalidate the consent given. You can, however, collect data under another basis (assuming it’s evidence and lawful) and reason for processing and then allow the data subject to opt-in through consent for a different requirement for processing.

You need to keep a record of a data subjects consent including the time and date given as well as a record of what they consented to. It’s important to remember that in a digital age a customer may give or remove consent multiple times in their lifetime with you or they may give only partial processing consent (e.g. they agree that their data can be used for the main purpose of your business but refuse for it to be shared with third-parties) and so your record-keeping system needs to be flexible and clear in how this is stored and displayed.

The other side of consent, however, is what gives data subjects the strongest protections, they are at any time allowed to remove/retract that consent (which must be as easy process as it was for them to give consent, e.g., if they ticked an online box to give it then a process as easy as ticking a box, must be provided to remove that consent) and imminently stop all processing of their data and request that their data be deleted.

For the special categories of data mentioned above a higher level of consent is required referred to as ‘Explicit Consent’

Children

If you rely on consent for the processing data for children (Those under the age of 16) then you will need to gain consent from a legal parent or guardian to process the child’s data, in addition to the child’s permission (This means that your policies and consent wording provided to the child must be easily understandable to their age and you cannot assume that an adult would explain a more complex agreement to them. A child needs to know that they need a parents consent and organisations need to be certain that the parental/guardian consent they’ve received is legitimate and verifiable e.g. a signed letter or logged/recorded phone call). This like normal consent will need to be traceable and you will need to log as consent is given or removed. 

Recital 38 of the GDPR says

“Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user-profiles and the collection of personal data with regard to children when using services offered directly to a child.”


Parental or Guardian consent is not required when processing relates to preventative or counselling services, such as those to protect child welfare.

Contractual

You have a legal basis if you’re processing data to fulfil a contract that the data subject is a party to (or that you’re taking steps at the data subjects request prior to the contract but as required by it). Your contract will need to mention this and evidencing that contractual is a lawful basis for the processing. The simplest example here is one of employer-employee where the employer needs to process the employee’s data (including storing their bank details for payment, or elements about their health such as allergies etc) and doing so under the other basis does not give all of the required ease or allowances. 

Compliance with a legal obligation

Controllers are allowed to process data in line with legal obligations such as reporting information to HMRC or other local or national government departments that require that information under Law. 

To protect the vital interests of someone

Controllers are allowed to process data where it is necessary to protect someone’s vital interests such as security, health or finance. An example I was once given would be processing the data of employees next of kin so you can contact them should your employee encounter a health or other issue and protection of data subjects interests is required.

The Public Interest

Controllers can process data if it is necessary for a task carried out in the general public interest under the authority given to them. This primarily relates to the public authorities such as the police and other organisations that we submit data to or serve a protective status (like the Border force). As such these controllers are allowed to process data for the purposes of protecting public interests. It’s rare that this basis can be used outside of Government or legal civil organisations (Such as the Police) or third-party contractors organisations who are acting as joint controllers or processing on behalf of these organisations (In which case Contractual is a much stronger and easier defence!).

Legitimate Interest

Legitimate Interest is the most popular basis for processing that I hear about after Consent – Many have seen it as a sneaky get out of jail free card (assuming they remembered to evidence it correctly before processing), in my opinion, while legitimate interest does give controllers an element of freedom it also requires a strong and evidenced defence that the use of it does not override the interests, rights or freedoms of a data subject (especially when the data subject is a child). 

To oversimplify Legitimate Interest defence, you would need to show that your processing of their data gave benefit to them in a way that did not infringing of their rights and protections, or where there is no direct benefit that processing their personal data has not infringed or given the risk to their rights or protections. Examples given on this are historians or scientific studies as well as existing relationships between controllers and subjects where the controller may process the data under a new requirement and use Legitimate Interest to claim that this new processing did not infringe and was of a strong benefit to that client. I have oddly seen this used in different marketing scenarios to send emails to customers (instead of defence under the Privacy and Electronic Communications Regulation) and to send customers of e-commerce websites after-sales marketing to gain reviews.

Special Categories Processing and Lawfulness

For the processing of special categories data along with Explicit Consent, the following basis can be evidenced and used where appropriate. This guide won’t cover these in detail but if you’d like to discuss the importance and protections required around these please don’t hesitate to send me a message.

  • Defence of legal claims
  • Obligations under the Law
  • Protect the vital interests of individuals (normally where they are unable or incapable to give consent themselves)