Lawful basis for processing

 

Overview

Why does this topic matter to organisations?

Processing of personal data is lawful only if, and to the extent that, it is permitted under EU data protection law. If the controller does not have a lawful basis for a given data processing activity (and no exemption or derogation applies) then that activity is unlawful.

What types of organisations are most affected?
The nature of an organisation’s business, and the sector in which it operates, makes no difference to that organisation’s obligation to comply with EU data protection law. Hence, all types of organisations are affected.

What should organisations do to prepare?
Having a lawful basis for each processing activity is critical to an organisation’s ability to comply with EU data protection law. Therefore, organisations should:

  1. review all of their data processing activities;
  2. ensure that they have a lawful basis for each processing activity (or an exemption or derogation applies);
  3. where consent is the basis for processing, review existing mechanisms for obtaining consent, to ensure that they meet the GDPR’s standards (see Chapter 8); and
  4. where a legitimate interest is the basis for processing, maintain records of the organisation’s assessment of that legitimate interest, to show that the organisation properly considered the rights of data subjects.