What is Lawful Basis for Processing - Lead Forensics

Let’s get you started

Experience turbo-charged lead generation with a free trial.
Simple set-up. No commitments. Get started today.

    Get Started with Lead Forensics!

    Fill in the form below and we'll set you up with trial so you can see exactly how Lead Forensics will work for your business. One of our experts will help you see how Lead Forensics fits into your existing marketing and sales strategy, too!

      Let’s get you started

      Experience turbo-charged lead generation with a free trial.
      Simple set-up. No commitments. Get started today.

        A common misconception around GDPR is that it doesn’t permit businesses to process personal data, or you may have heard that specifically you need ‘consent’ to process personal data.  This is not strictly correct.  The GDPR is there to protect and control the use of personal data, but it is not intended to hinder business or industry, the intention is to ensure businesses consider the rights and freedoms of their data subjects.

        Example:  Consider the police force, they have a necessary requirement to process personal data in the interest of public safety, they of course could not seek consent from their data subjects before collecting and processing the data, otherwise it could compromise the case!  GDPR applies across all industries and therefore, it is logical that there are actually six lawful basis that an organisation can collect, process and store data.

        The six lawful basis are as follows:

        Legitimate Interests

        Legitimate interest is perhaps the most flexible lawful basis on which you may process personal data, and is likely to be the lawful basis that most marketers will look to use in a B2B environment.  With legitimate interest you may collect, process and store personal data, as long as you have considered and can prove that there is a legitimate interest (basically a good reason why).  It is also important to show that you’ve balanced the use of legitimate interest against the individual’s interests, rights and freedoms. You must also include full details of your legitimate interests in your public-facing privacy policy.

        The ICO specifically mentions direct marketing as an area that could be deemed necessary to leverage legitimate interest, it mentions that the processing must be in a targeted and proportionate way of achieving your purpose, and the organisation should also consider whether there is another reasonable and less intrusive way to achieve the same result.

        The ICO recommends conducting and documenting three tests when looking to leverage legitimate interests:

        1. Purpose test: are you pursuing a legitimate interest?
        2. Necessity test: is the processing necessary for that purpose?
        3. Balancing test: do the individual’s interests override the legitimate interest?

        (source: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/)

        Consent for a specific purpose

        For consent to be used as the lawful basis, individuals must give their explicit consent (not assumed through a pre-ticked box etc) and positively opt-in for their data to be held and used. Here, you must always offer very specific options, so that you get separate consent for separate actions. If services are being offered to children, then parental consent will be a requirement. In any cases where consent is difficult to obtain, you must look for a different lawful basis for your data processing.

        Contractual necessity

        You can lawfully process data if you have a contract with the individual and you need to process their personal data in order to comply with your contractual obligations. This option will also cover you if you don’t yet have a contract, but have been asked to do something that requires you to process their personal data, such as producing a quotation.

        Controller bound by legal obligation

        You can also process personal data if you are required to do so to comply with a common law or statutory obligation. This doesn’t however apply to contractual obligations. If you can reasonably comply with a law without processing personal data, then this basis won’t apply. If you do use this lawful basis, then you must document your decision and the justification for your reasoning, including details about the specific law or guidance concerned.

        To protect vital interests

        This will only apply to organisations who are required to process data to protect someone’s life. For example, if you are providing emergency medical care. Even in these cases, if the individual is capable of providing consent, then it must be sought.

        Public interest or official duty

        This lawful basis allows you to process personal data if the task is in the public interest, or if you are required to perform a function that has a clear basis in law.

        What Constitutes Personal Data?

        Offering greater protection for personal data lies at the heart of the new regulation, so you firstly need to understand what constitutes personal data under GDPR. As the processing of any personal data falls under its remit, organisations operating a B2B, B2C or business-to-employee models will all have the same obligations.

        What is classed as personal data?

        • Identifying information – This includes any information that can be used to identify a person (either directly or indirectly), including name, identification number, email address, bank details and an IP address, etc.
        • Sensitive personal information – This includes genetic data, or information around health, sex life, sexual orientation, religious & political views, mental, physiological, economic, cultural or social identities. Basically, anything that could put someone at risk of unlawful discrimination.

        Resources from this section:

        What can Lead Forensics do for your business?

        Imagine if you could take control of your lead generation activity and convert sales-ready prospects, before your competitors even get close? Lead Forensics is the software that reveals the identity of your anonymous website visitors, and turns them into actionable sales-ready leads. In real-time.

        Lead Forensics can:

        • Tell you who is visiting your website
        • Provide highly valuable contact information including telephone numbers and email addresses
        • Give insight into what each visitor has looked at, as well as where they came from.

        Take a look for yourself with a free, no obligation trial – you can get started today!