What the ICO says –
“You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.”
What does this mean for your organisation –
To align with the Legality and Accountability principles of the GDPR, your organisation needs to identify what (if any) lawful basis within GDPR it has for each PII processing activity, you then need to document the basis and update any privacy notices to explain it.
Currently there are 6 lawful conditions for processing standard category data and your organisation needs to have at least one of them for any type of processing it undertakes.
1. Consent of the Data Subject – Consent is not the silver bullet and in many cases, is not the most relevant lawful basis.
2. Processing is required for the performance of a contract with the Data Subject or to move towards entering into a contract.
3. Processing is required for compliance of a legal obligation. – Be aware though that the legal obligations can expire so may not require all the PII you originally processed.
4. Processing is required to safeguard the vital interests of a data subject.
5. Processing is required for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
6. Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are outweighed by the interests, rights, or freedoms of the Data Subject. – Basically, you cannot have an imbalance of power in the favour of the data Controller or Data Processor.
* It is important to note that this condition is not available to processing carried out by public authorities in the performance of their tasks.
For Special Categories of Data there are 10 lawful bases, they are related to those for standard category data but are much more specific and require far more than these snippets to explain. Get in touch with me and we can work together to manage your special category data.
The 12 Days of GDPR snippets are not designed as a guide to make your organisation GDPR compliant, they are just to whet your appetite to get you started. BMGUK Consultancy Ltd has one of the few certified EU GDPR Practitioners in the UK, so get in touch and I can assist your organisation to become GDPR compliant.
What is the GDPR? – It is the new evolution of data protection across the EU. On May 25th, 2018 the General Data Protection Regulation becomes enforceable so if your organisation processes personally identifiable information of any EU resident then you need to be prepared for the GDPR otherwise your organisation could face significant penalties.
From the largest multinational down to the smallest of sports clubs anywhere in the world, if your organisation offers goods or services, even free ones, to EU residents then it is highly likely that your organisation will be required to comply with the GDPR.
Whether your organisation is based in the UK or overseas, get in touch with BMGUK Consultancy Ltd for all your GDPR needs.