Processing data lawfully: an introduction to this critical topic




Our world revolves around data. And the use of data – specifically personal data – is governed by the GDPR which has been with us since 25 May 2018. The actual GDPR is an epic piece of work: it was originally 261 pages long but has grown since then and now has over 20,000 more words than Shakespeare’s Hamlet – his longest play. It’s also generated a huge amount of debate and commentary. It is undoubtedly complex.

But in a complex world, let’s keep things simple. Or at least, as simple as we can, without falling foul of the regulation.

If we are processing data lawfully, the GDPR gives us six ways in which we can do that. Generally speaking, none of these is better than the others – processing is either lawful or it’s not – but it’s important to get it right first time. Once you’ve chosen a lawful basis for processing, there is no easy way back. The six bases are:

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

You can find a more comprehensive guide to processing data lawfully on the ICO website here.

While consent might seem the easiest route on the face of it, it can be hard to get – relying on customers specifically to do something to give it – and can be withdrawn at any time. For the businesses we deal with, better options are likely to be compliance with contractual or legal obligations, legitimate interest or public interest. Of course, we can’t give specific legal advice on individual situations, but we can say that you need to be clear about how and why you are using personal data: document what you have asked your customers, and what lawful processing basis you want to rely on. You need to be sure that you would be able to explain and defend your position if challenged and above all to keep the basic principles of transparency and fairness in mind.

To learn more about how we work, or to discuss the Sekura approach with any of our team, Contact Us.