Understanding the lawful bases for data processing

One of the greatest myths that surround GDPR is that without consent your hands are tied and you can't process customers data, that's a huge mistake as Consent is only one of the 6 possible Lawful Bases that you can apply, today we'll take a look at each one to understand how you might be able to use them when processing data.

1. Consent

This is the one everyone knows about, but you need to understand where it is and isn't applicable. Consent must be clear, the purpose for the data processing must be understood and the user must freely give their consent. You must be able to prove that an individual gave their consent for the processing of their data.

2. Contract

The second lawful basis covers you for most of the processing you will do as a company, processing that is required in order for you to complete the contract. For example, if you're shipping a product you will need to process the name and address of the customer in order to send the parcel, however, there would be no need to know their date of birth unless the product is age-restricted.

3. Legal Obligation

Number 3 is an easy one, you can process data if you are required by law to do so, in most cases this will be if you're in a legal profession or have been asked by law enforcement to carry out a specific task. You will also have legal obligations such as storing invoices for 6 years that are covered by this lawful basis.

4. Vital Interests

You're unlikely to ever use this lawful basis but it basically means, you are allowed to process the personal data of an individual if it is necessary to protect their life.

5. Public Task

The processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law. It's unlikely you'll use this one but it's available if you qualify for it.

6. Legitimate Interest

Here's the one that causes the most trouble as it's also one of the "grey areas" in GDPR. But it's also the basis that you're most likely to process most data under after consent and contract. You can process data for your legitimate interest (that includes marketing yourselves) as long as it does not infringe on a person's rights and they have not opted out of such processing.

So if we can use Legitimate interest, why do we need to collect consent?

We're often asked this, and basically, you have to understand that electronic marketing such as email and SMS are also covered by PECR (Privacy and Electronic Communications Regulations) which are more detailed and actually override the Legitimate interest rules for these channels. Put simply, though you can market to an individual using the Legitimate interest basis, if you're doing so by Email or SMS you have to comply with PECR which means unless you have acquired consent you would be sending unsolicited communications which are not allowed.

But what about opt-outs, are they still allowed?

If at the point of signup you're showing a visitor a statement that says something like - "We'd like to send you x & y, if you don't want this please tick the box" Then your consent will not be valid, this is because inaction cannot be deemed as consent. However (and here's the grey area) If you collect personal data and state that you do so for marketing you can legally send emails to a user in one specific case -

  • The products and services you are selling are "similar" to the ones the customer purchased when you collected their data.
  • They have not opted-out of such communications.
  • You have shown them a privacy policy that tells them you do this.

This is called the "Soft opt-in exemption". But bear in mind a new version of PECR is due out soon that will likely get rid of this exemption and also in our opinion you will get much better engagement rates when you actively collect consent from your users.

Unsure what to do next?

If you'd like us to review your data collection processes and check you're using the correct legal basis, enter your sites URL into our Free Site Audit and we'll check it out for you!