As the 25th May rapidly approaches, many organisations are hurriedly putting in place measures to ensure they manage data in line with GDPR – the General Data Protection Regulation.
GDPR has higher standards but they are evolved standards. The Regulation requires that in order to process personal data you must have a valid lawful basis and you must determine and document this before you begin the processing. A privacy notice should include the lawful basis for processing the data as well as the purpose of the processing and the retention period.
There are six available lawful bases and most require that processing is ‘necessary.’ If you can reasonably achieve the same purposes without the processing, you do not have a lawful basis.
The lawful reasons include:
- Consent – this can no longer be assumed and consent must be freely given, specific, informed and unambiguous
- Contract –used when processing data is to fulfil your contractual obligations to someone or they have asked you to do something before entering into a contract. For example, process a job application or provide a quote.
- Legal obligation – if you need to process the personal data to comply with a common law or statutory obligation.
- Vital interests – where data needs to be processed o protect the vital interests of a person. This lawful reason will not be used very often.
- Public task - to perform a specific task in the public interest
- Legitimate interests – most likely to be most appropriate where data is used in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing
GDPR requires a culture shift in how personal data is handled. Privacy is essential and it requires that we stop and think before handling data. You can find further information at www.ico.org.uk
If you would like further information or support for your business please contact Sheila Watson on 01429 857082.