Lawful Basis
The principles of GDPR obligate an organisation to process personal data lawfully. In the legislation, there are six legal bases for processing personal data which are:
- Consent
- Contractual
- Legal obligation
- Vital interests of the data subject
- Public interest tasks
- Legitimate interests
Consent
Under GDPR, consent must be an explicit consent and cannot be an assumed implicit consent from inaction. For consent to be valid, it must be informed, freely given and an affirmative action of the data subjects agreement.
Contract
This legal basis covers the processing of personal data that is needed to fulfil a contract, including what is necessary prior to engaging in a contract to determine the contract terms. It only applies to the processing which forms part of the core services or products provided as part of the contract.
Legal Obligation
Most organisations have legal requirements to comply with, for example, invoices usually must be kept for several years for tax audit purposes. This legal obligation usually drives the length of time that personal data is retained for.
Vital Interests
This usually covers health information where personal data may be needed by hospitals in emergency situations.
Public Interest tasks
This covers the processing of personal data by public authorities.
Legitimate Interests
This is a wide-ranging legal basis which many organisations rely on. GDPR was never meant to stop organisations processing personal data in ways that benefit the organisation, but to ensure that such processing was justifiable, proportionate and balanced the interests of the organisation and data subject rights and freedoms.
How Organisations Get the Lawful Basis Wrong
- Multiple Legal Bases
Some organisations have all legal bases listed in their privacy notices which becomes confusing to data subjects. For example, this is the legal basis notice provided in the WhatsApp privacy notice:
This is a template provided by the ICO that intended organisations to tailor the template to the actual bases used, not to copy the legislation and template as a “catch all” legal basis.
In addition, it becomes problematic if an organisation states multiple legal bases for processing personal data. Listing consent as a legal basis gives data subjects the impression that the data processing will stop if they withdraw their consent only to find that an organisation may subsequently claim they are processing the data under the Legitimate Interest basis and disregard the withdrawal of consent. This “pick and choose” approach is not fair and transparent to the data subject.
Solution:
Ensure that the main legal basis for the processing of personal data is identified for each type of personal data processing carried out.
Ensure that this is stipulated clearly in the privacy notice so there is no ambiguity for the data subject to the lawful basis.
- Not updating the lawful basis
Personal data may be collected and processed for one lawful basis but that can change over time.
For example, personal data may be collected as part of a contract which has a data retention period set to keep the data for as long as the contract is valid. If the contract ends, then an organisation may have a legal requirement to keep the data as part of its records for a period of 6 years.
Solution:
Organisations should have a clear retention schedule for each legal basis of processing.
Organisations should be able to easily identify when a change of legal basis applies and ensure the relevant data retention period is subsequently applied to that personal data.
Organisations should make this clear in the privacy notice so that data subjects understand what happens to their data at the end of a contract.
- Forced consent
Under GDPR, consent must be informed, freely given and an affirmative action. When consent is forced, it is not a valid consent.
For example, the MyFitnessPal app sends personal data from the EU to the US where their servers are located. In their privacy policy, it presents the data subjects with a consent form, but the data subjects do not have a choice. Data subjects must either tick the “consent” boxes in order to create an account and use the service, or they cannot use the app at all.
However, if data subjects do not have a real choice, then consent is not the correct legal basis for the processing of personal data.
WhatsApp have recently announced a change to their terms which requires data subjects to accept the sharing of personal data across the Facebook group or have their accounts deleted. Since this announcement, many people have expressed concern about the increased privacy intrusion this will entail for something that they have previously been able to opt out from.
At the time of writing, Signal has become the most downloaded chat app and organisations need to understand that people want more privacy not less and will not remain with a service if they feel they are being forced into something they had previously chosen not to accept. Organisations need to understand that not prioritising privacy can lead to a significant migration of their customers to a competitor with subsequent financial impacts to the organisation.
Solution:
Ensure any processing that you deem to be a consent basis actually gives the data subjects a choice.
If data subjects have no real choice, consent is the wrong legal basis, and you need to identify the correct legal basis otherwise your data processing would not be lawful.
Organisations need to keep a record of this lawful basis and inform data subjects clearly in privacy notices.
- Excessive contractual services
Organisations often bundle other personal data processing with the core services provided under the contractual lawful basis. This usually involves repurposing which is legal provided the additional processing is compatible with the contracted services.
The issue arises where the repurposing is not compatible with the contractual personal data processing, such as marketing.
Solution
Establish if the additional personal data processing is compatible with the core services.
Where such additional processing is not compatible with the core contractual services, the organisation should seek consent for the processing or use the Legitimate Interest basis.
- Legitimate Interests
While the Legitimate Interest basis of processing is wide ranging and gives organisations a legal basis to process personal data in a way that benefits them, it does have to be justifiable, proportionate, transparent and fair to the data subject.
Legitimate Interests is therefore not a lawful basis to avoid seeking consent when consent should be sought, nor does it justify an organisation overriding data subject’s rights.
The Privacy and Electronic Communications Regulations (PECR) determines when an organisation is required to obtain consent and when they can use legitimate interests for marketing. Prior to GDPR coming into effect in May 2018, many people very quickly developed a “GDPR fatigue” from inboxes overflowing with consent requests for marketing, the majority of which were unnecessary as Legitimate Interest would have been the lawful basis.
The fear of a GDPR fine in this situation made organisations over cautious and seek consent, the problem is that having made it a consent basis, they can no longer rely on Legitimate Interests to cover that marketing access.
Having led data subjects to believe it was a consent basis which could be withdrawn at any time, it would be unfair to change the lawful basis to Legitimate Interest which the data subject cannot withdraw consent from.
The key part of Legitimate Interests is that it must be necessary and does not apply if a less privacy intrusive approach can achieve the same results. This requires organisations to have to be prepared to change how they work – existing processes which may be more privacy intrusive than other processes would not be covered by the Legitimate Interest basis of processing.
Solution:
Organisations which are going to rely on a Legitimate Interest basis for processing personal data should conduct Legitimate Interest Assessments to test whether it is the correct legal basis.
Organisations should establish the legitimate interests, whether it is necessary and whether less privacy intrusive options are available, and then conduct a balancing test to balance the organisations interests against the data subject’s rights.
Where the processing is determined to be high risk, high impact or highly privacy intrusive, then Legitimate Interests is unlikely to be the most appropriate basis for processing.
Ensure the right to object to the Legitimate Interest processing is conveyed in the organisation’s privacy notice since the withdrawal of consent will not apply for this lawful basis of processing.
Conclusion
This paper has set out the principles and lawful bases of GDPR, where organisations often make mistakes and proposed some basic solutions. This can be a complex area to get right so it is advisory to seek professional assistance if your organisation does not already employ sufficient expertise.