The requirement to have a lawful basis in order to process personal data is not new. It replaces and mirrors the previous requirement to satisfy one of the ‘conditions for processing’ under the Data Protection Act 1998 (the 1998 Act). However, the GDPR places more emphasis on being accountable for and transparent about your lawful basis for processing.
The six lawful bases for processing are broadly similar to the old conditions for processing, although there are some differences. You now need to review your existing processing, identify the most appropriate lawful basis, and check that it applies. In many cases, it is likely to be the same as your existing condition for processing.
The biggest change is for public authorities, who now need to consider the new ‘public task’ basis first for most of their processing, and have more limited scope to rely on consent or legitimate interests.
You can choose a new lawful basis if you find that your old condition for processing is no longer appropriate under the GDPR, or decide that a different basis is more appropriate. You should try to get this right first time. Once the GDPR is in effect, it will be much harder to swap between lawful bases at will if you find that your original basis was invalid. You will be in breach of the GDPR if you did not clearly identify the appropriate lawful basis (or bases, if more than one applies) from the start.
The GDPR brings in new accountability and transparency requirements. You should, therefore, make sure you clearly document your lawful basis so that you can demonstrate your compliance in line with Articles 5(2) and 24.
You must now inform people upfront about your lawful basis for processing their personal data. You need therefore to communicate this information to individuals by 25 May 2018, and ensure that you include it in all future privacy notices.
The Lawful Basis for Processing
The lawful basis for processing is set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)