EU/UK GDPR Lawful Bases – Getting accountability right
EU/UK GDPR Lawful Bases – Getting accountability right
Working out the lawful bases for your processing activities can be a challenge. Whilst the ICO has guidance and a useful tool to help organisations determine the lawful bases of processing, the final decision will always rest on the Controller organisation to defend. A Controller thus needs to document their lawful bases properly because if something goes wrong, they may need to defend their decision-making process. This article will look at how you can logically work through a process to determine the lawful bases and document the underlying decision to an appropriate level of detail…strap in!
What is a lawful basis and why is it important?
Under GDPR, the lawful processing of personal data is conditional upon an underlying lawful basis for the processing activity. If you want to process personal data, it’s important to know which lawful basis you intend to rely upon. Getting this wrong could land you in a world of pain. From your customers and possibly from your regulator too – and no one wants that! You must also document the lawful basis for each of your processing activities and the supporting decision-making process. Documentation is important so that you can effectively demonstrate accountability – in our opinion the most important of the data protection principles.
Why bother trying to work this out, surely just go for consent?
During the 2018 gold rush of GDPR, there seemed to be a lot of consultants and DPOs (still are to a certain extent) who default to declaring consent as the lawful basis for all manner of processing activities. This then led to many organisations purging data sets unnecessarily alongside a lot of confusing communication to data subjects. I don’t know why this happened so frequently but it’s possible poor training was at the centre of these consultants “advice”. The practice of defaulting to consent is lazy but more importantly…
“Defaulting to any lawful basis does not demonstrate accountability.”
What is therefore needed is a methodological approach that can be consistently applied to any processing activity in a repeatable manner. Something that can be documented concisely. An approach that could be applied internally by the organisation itself but also validated externally by an auditor or a regulator. An approach where it is likely everyone will get [roughly] the same answer! To that end, the next few paragraphs suggest a 5-staged approach you may wish to consider…
1. Consider the applied rights, the Data Subject and, the data processed
It is important to know what rights will apply to the processing as part of your consideration as to which lawful basis you choose.
Data subjects have a number of rights enshrined in data protection law but what is less well known is that dependent on the lawful basis, not all rights apply. For example, when relying on Legal Obligation as the lawful basis for processing, the rights to be forgotten, to object, and to data portability do not apply. That is to say, the Data Subject cannot exercise these rights.
Not only must you consider the specific rights that will or will not apply, but you must also consider the type of Data Subject. If the Data Subject is an employee, consideration must be given to how the imbalance of power between employee and employer may affect the data subject’s ability to exercise their rights. If a Data Subject cannot realistically object to processing or withdraw consent, then things could become problematic if a Controller relied on a lawful basis where these rights must apply.
There are further conditions that apply to special category data and criminal offence data. These considerations must also be factored into your decision-making process.
2. Separate out the processing
If simplifying many activities under one umbrella term prevents the correct lawful basis from being applied then you must separate out those processes first.
When it comes to recording processing activities, there can be a tendency to oversimplify. For example, to look at an IT system and then state everything that occurs in that system is a single processing activity. You may have an HR system and thus decide everything in that system is “HR Processing”. The ensuing logic being that you will then regard the lawful basis for this HR Processing as Performance of a Contract. Sweet! Job done! Off to the pub…Not so fast!
Whilst it is likely some HR processing will fall under the lawful basis of performance of a [employment] contract, some activities will not be covered by this lawful basis – because there is nothing in the contract requiring this other processing to occur! Personal data in the HR system may be used to support the provision of system access. Personal data may also be used to record learning and development activities. Personal data will be used to support tax reporting. Each of the processing activities just described, rely on lawful bases other than the performance of a contract.
Make sure you first separate out your processing activities before then determining which lawful basis applies.
3. Discount lawful bases which can’t apply first
With an understanding of the data, the Data Subject and the rights that might apply; with an understanding of the processing at a sufficiently granular level of detail; there are six lawful bases to choose from, which are listed below:
- Contract Performance
- Legal Obligation
- Vital Interests
- Public Task
- Legitimate Interests
The order listed above is not accidental, the order is designed to get the majority of Controllers to the correct lawful basis in the least amount of steps. The order doesn’t just consider the lawful basis but also which rights are triggered for each lawful basis. By working your way down through this list, once you reach an appropriate basis you can stop.
Using the guidance provided by your data protection authority (or support from an amazing consultancy like ours), work down the list. If a contract doesn’t exist, move on. If no legal obligation exists, keep going. Not saving a life, move along. Not in the public sector, nothing to see here. Can you justifiably balance your interests against the data subjects? No. Well…you’re at the end of the line and consent it is!
Remember, you can only have one lawful basis. You can’t have a backup if the first is challenged or withdrawn. You can’t rely on consent and then if consent is withdrawn fall back on legitimate interests. So the key is to find the most robust lawful basis with the least subjectivity. The less subjectivity, the less challenging the decision-making process will be to defend. Once you have a lawful basis, it’s now time to document, document, document!
4. Document your lawful basis appropriately
It’s not just a case of stating your lawful basis on your privacy notice, internally you need to document how you arrived at your decision. The ICO have this step on their checklist:
“We have documented our decision on which lawful basis applies to help us demonstrate compliance.”
But, what should your documentation look like? There are no specific templates for documenting your lawful basis. Information requirements also differ depending on the lawful basis. Suffice to say, a useful place to record this information is in your Records of Processing Activity (RoPA).
Now there is a bit of confusion as to who is required to maintain a RoPA. We’re not going to go into that now but if you want to demonstrate compliance with EU/UK GDPR you can’t go too far wrong by having a RoPA at the centre of your data protection compliance regime. The minimum standard for a RoPA – strangely – doesn’t include the requirement to document your lawful bases but it’s definitely worth recording your lawful basis in the RoPA and then signposting to a document that lays out your decision-making process in more detail.
Bear in mind for certain types of lawful basis, organisations must document specific information about how they have arrived at a lawful basis. For example, if you rely on Legitimate Interests, then you will need to document your Legitimate Interests Assessment (LIA). If you rely on Public Task you must document how the processing is necessary for you to perform a task in the public interest or exercise your official authority and; identify the relevant task or authority and its basis in common law or statute. Similar criteria exist for each lawful basis.
It’s not good enough to simply pick a lawful basis, document that as a one-liner in your RoPA but fail to document the decision-making process. In the unfortunate situation where a Data Subject makes a complaint, an organisation will want to be in a position where the complaint is deemed invalid. Defending a complaint will be a lot less onerous if you can provide the data protection authority with your decision-making process.
In addition to documenting your decision-making process, you must also demonstrate transparency. This is partly achieved by including basic information about your purposes and lawful bases in your privacy notice.
5. Periodically review
The law changes regularly, this means a processing activity could now no longer rely on its current lawful basis. Decisions by the EU and UK regulators may also provide further clarity on what is and isn’t acceptable. Organisations must react to these changes swiftly.
The best way to do this is to keep abreast of what is going on in the world of data protection and calendar a periodic review of your lawful bases. Do they still hold up? If you’re too busy to do this yourself or simply don’t have the time to keep up-to-date with everything going on in the world of GDPR, get in touch, Fox Red Risk have an Outsourced DPO service that can help you with all the heavy lifting – leaving you to get on with the day job!
About Fox Red Risk
Fox Red Risk is a boutique data protection and cybersecurity consultancy and Managed Security Service Provider which, amongst other things, helps client organisations with implementing controls frameworks for resilience, data protection and information security risk management. Call us on 020 8242 6047 or contact us via the website to discuss your needs.
22301:2019 article 25 article 28 awareness bcms breach change management ciso controller cybersecurity data breach data privacy Data Protection data protection by design data protection officer data protection service Data Subject Access Request DPO DSAR GDPR incident management information security leadership management operational resilience Outsourced DPO Privacy processor resilience risk risk appetite risk management ROI security security as a service small business soc strategic strategy Subject Access Request training transparency vciso virtual ciso vulnerability scanning