Have you covered all your GDPR (lawful) bases?
It’s often difficult to make GDPR relatable to the day-to-day work in a one-man/woman small business. If you have your head down beavering away at the “real work”, having someone telling you that you must do this or that this way is no help at all!
This post is about giving you a handle on how the lawful bases for handling personal data fits into your “real work”. N.B. I may also be going for the most cliches I can fit into a blog post (wish me luck!).
The legal legal stuff…
I’ll try to avoid the rabbit-hole of time-wasted and break the subject down into bullet points for quick reading/reference:
- You have no choice about having a lawful basis for each type of personal data handling your business does. You do have a choice about which one you select and state in your Privacy Notice/Policy.
- There is no odds-on favourite basis you should choose. It’s horses for courses (sorry, I know!).
- You pick the best or most appropriate basis and then you must stick to it unless you have a damn good reason (swapping from consent is a big no-no). I was so tempted to throw in another saying about changing horses mid-stream – so glad I resisted.
- The handling of personal data must be necessary. If you can get where you need to without the data – you don’t have a lawful (basis) leg to stand on.
- You must decide/know which of the GDPR lawful bases you are using before you start collecting/handling the data! If you want some help, the ICO (the horse’s mouth for the UK) has an online interactive tool you can use: https://ico.org.uk/for-organisations/gdpr-resources/lawful-basis-interactive-guidance-tool/
- Your Privacy Notice must state which basis applies for each type of data handling. Your Privacy Notice might be considered as your business’s written information on its data protection pedigree (if you want to continue the horsey theme… OK, maybe you don’t).
Don’t forget Special Category data always carries additional requirements for handling, as does data on criminal convictions. If your business handles either of these types of data, you should definitely already be aware of them!
A touch more legal stuff (here are the GDPR Lawful Bases in all their glory)
I’ll try to keep this brief and simply give you the list of the 6 GDPR lawful bases you choose from that are given in the GDPR:
- Consent – this is probably the one that you will be most aware of as a possibility. It isn’t always the best option. At. All.
- Contract – I’m guessing you will be comfortable with this one to a large extent. This will be where handling the data is necessary to meet your side of the bargain e.g., you need a contact name and a delivery address to send your product to. As you would normally do, make sure you have the clauses you need to cover data handling written in your standard T&Cs or as needed for a specific contract.
- Legal obligation – this is where you have to handle the data to fulfil your (yes, you’ve guessed it) legal obligations e.g., tax purposes.
- Vital interests: where you have to handle the data to protect someone’s life.
- Legitimate interests – this is a popular choice for quite a few small businesses BUT it really isn’t a question of your business’s interests being paramount. All you need to remember is, GDPR is designed to protect the individual’s rights over their own data and, if you want to be handling it you must justify it. This means their rights can override your business’s rights and if they do you are handling the data unlawfully.
- Public task – not really a lawful basis that applies to many, if any) owner-run businesses. It covers data handling for a task “in the public interest or for your official functions, and the task or function has a clear basis in law” (per the ICO).
Some practical context:
The last time I did a workshop on this, the entrepreneur who kindly allowed me to use her business as an example had 3 distinct business channels. This also meant 3 distinct processing routes despite the use of the same tools and certain commonalities of approach. There is no way to easily combine everything into a “one size fits all” document was the (sad) conclusion. I was getting worried that I hadn’t thrown in a cliché for a while – phew!
Trying to combine processes, legal bases, policies and public notices is a very difficult task and will end up being confusing for the people whose data you are handling. Consider what it is like for your audience/customers – unless it’s a manageable length and easy to understand, you’ll then have missed one of the basic requirements of GDPR, which is transparency (see my previous blog post on Principles).
Necessary means necessary
Your lawful basis will disappear like smoke if the handling of the personal data isn’t truly necessary. I would always wonder, if you could do what you need to without handling personal data, why would you want to have the additional responsibility that comes with it? Necessary means – it’s got to be specific, it’s got to be targeted, and it’s got to be in proportion to achieving, whatever the purpose is.
When is a Right not a Right?
The relationship between Rights defined in the GDPR and Lawful Bases is such that the Rights do not all apply to all of the Legal Bases. The table below shows this (this is based on the ICO table as it makes it crystal clear).
If marketing is your justification… tough!
The right to object when it comes to marketing is absolute!
There’s no way around knowing about this subject. It’s the very first building block towards compliance (as close as anyone can get, anyway). That doesn’t mean you need to be an expert on GDPR; just know what applies to your business. You are an expert in your business, which means you can tailor your systems to fit yourself and your vision.
I’ll just finish with an apology for any sharp intakes of breath you took whilst reading this… See you on the next one. 😊