• ISO9001 Quality Management
    Systems (QMS)
  • ISO14001 Environmental Management
    Systems (EMS)
  • ISO50001 Energy Management
    Systems (EnMS)
  • ISO45001 Health & Safety Management
    Systems (OHASMS)
  • ISO27001 Information security
    management systems (ISMS)

How does the GDPR change the lawful basis for processing personal data?

08 Dec 2017

Under the current Data Protection Act 1998 (DPA) any organisation that processes personal data and sensitive personal data must have a legal basis for doing so. The GDPR, which comes into force in May 2018, is more rigorous in maintaining this position.  Changes affected by the GDPR will have clear, practical implications in a way that the current DPA does not.  Individuals’ rights will differ depending upon the lawful basis for processing their data. 

The GDPR legal basis for processing personal data

If your organisation wants to process personal data then it must satisfy at least one of the following conditions:

1. Consent

The data subject has explicitly consented to the processing of their personal data.

2. Contractual

It is necessary to process personal data prior to entering into a contract with the data subject.

3. Legal obligations

Processing is necessary to comply with a legal obligation.

4. Vital interests

This applies when the data subject is not physically or mentally capable of giving consent but processing is necessary to protect the vital interests of the data subject or another person. For example, when an individuals’ medical history is disclosed to a hospital following a serious accident.

5. Public interest

It is in the interests of public safety to carry out the processing of this personal data.

6. Legitimate interests

It’s necessary to process the personal data for the legitimate interests of the organisation or a third party, except when this negatively affects the interests, rights or freedoms of the data subject.

What are ‘legitimate interests’?

The following GDPR recitals give examples of ‘legitimate interests’ for processing personal data:

Recital 47: processing for direct marketing purposes or preventing fraud. However, Recital 47 states that data controllers must consider whether their legitimate interests are outweighed by the interests and fundamental rights of data subjects.

Recital 48: transmission of personal data within a group of undertakings for internal administrative purposes including client and employee data.

Recital 49: processing for the purposes of ensuring network and information security, including preventing unauthorised access to electronic communications.

Recital 50: reporting possible criminal acts or threats to public security to a competent authority.

What GDPR conditions must organisations meet to process sensitive personal data?

The GDPR states that sensitive personal data relates to an individual’s:

  • race, ethnic origin, political opinions, or religious beliefs
  • trade union membership
  • physical or mental health
  • sexual life
  • criminal background – offences committed or allegedly committed.

It’s mandatory under the GDPR for organisations to satisfy at least one of the following requirements in order to process sensitive personal data:

1. Explicit consent

The data subject has given explicit consent for their sensitive personal data to be processed.

2. Employment, social security and social protection laws

Processing is necessary to meet employment, social security and social protection laws or ‘a collective agreement providing for appropriate safeguards for the fundamental rights and interests of the data subject’.

3. Vital interests

This only applies when a data subject isn’t physically or mentally able to give consent but processing is a matter of life or death for them or for somebody else.

4. Not for profit (NFP)

When processing is carried out by an NFP for political, philosophical, religious or trade union reasons providing that this information is not shared with any third parties without the data subject’s consent.

5. Public

Where the data subject has ‘manifestly’ shared their sensitive information publically under their own initiative.

6. Legal obligations

Processing is necessary for legal matters.

7. Public tasks

Processing is necessary in the interests of public health and safety.

8. Medical reasons

Processing for ‘the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of EU or Member State law…’

9. Research, archiving and statistical purposes

Processing is necessary for the public interest or for scientific, historical or research purposes providing the aims are proportionate to the fundamental rights and interests of the data subject. The data subject’s rights must be respected and safeguarded.

What satisfies ‘consent’ under the GDPR?

The GDPR defines consent as ‘freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her’. Silence, pre-ticked boxes or inactivity do not constitute consent.

How can my organisation prepare for changes to the lawful basis for processing personal data?

  • Start by assessing what lawful grounds you currently rely upon for processing personal data and sensitive personal data. Will these grounds still remain valid under the GDPR? What action do you need to take to be GDPR compliant?
  • If you rely on ‘consent’ as your lawful basis but this is no longer adequate under the GDPR, update your policies, procedures and privacy notices to reflect this.
  • Make your staff aware of which legal basis’ your organisation relies upon for processing personal data.

Most importantly, make sure you identify and document your lawful basis for processing personal data and sensitive personal data so that you comply with the GDPR.

How can NDC help?

Our information security consultants can provide on/off consultancy and training that will support you to:

  • conduct a gap analysis of your existing systems and processes for processing personal data and sensitive personal data
  • update your policies, procedures, privacy notes and audit checklists to comply with GDPR
  • raise awareness of GDPR requirements and benefits within your organisation.
ISO 50001 audit tool
© Copyright All Rights Reserved, NDC Certification Services Ltd. 2020.