A common misconception around GDPR is that it doesn’t permit businesses to process personal data, or you may have heard that specifically you need ‘consent’ to process personal data. This is not strictly correct. The GDPR is there to protect and control the use of personal data, but it is not intended to hinder business or industry, the intention is to ensure businesses consider the rights and freedoms of their data subjects.
Example: Consider the police force, they have a necessary requirement to process personal data in the interest of public safety, they of course could not seek consent from their data subjects before collecting and processing the data, otherwise it could compromise the case! GDPR applies across all industries and therefore, it is logical that there are actually six lawful basis that an organisation can collect, process and store data.
The six lawful basis are as follows:
The ICO specifically mentions direct marketing as an area that could be deemed necessary to leverage legitimate interest, it mentions that the processing must be in a targeted and proportionate way of achieving your purpose, and the organisation should also consider whether there is another reasonable and less intrusive way to achieve the same result.
The ICO recommends conducting and documenting three tests when looking to leverage legitimate interests:
- Purpose test: are you pursuing a legitimate interest?
- Necessity test: is the processing necessary for that purpose?
- Balancing test: do the individual’s interests override the legitimate interest?
Consent for a specific purpose
For consent to be used as the lawful basis, individuals must give their explicit consent (not assumed through a pre-ticked box etc) and positively opt-in for their data to be held and used. Here, you must always offer very specific options, so that you get separate consent for separate actions. If services are being offered to children, then parental consent will be a requirement. In any cases where consent is difficult to obtain, you must look for a different lawful basis for your data processing.
You can lawfully process data if you have a contract with the individual and you need to process their personal data in order to comply with your contractual obligations. This option will also cover you if you don’t yet have a contract, but have been asked to do something that requires you to process their personal data, such as producing a quotation.
Controller bound by legal obligation
You can also process personal data if you are required to do so to comply with a common law or statutory obligation. This doesn’t however apply to contractual obligations. If you can reasonably comply with a law without processing personal data, then this basis won’t apply. If you do use this lawful basis, then you must document your decision and the justification for your reasoning, including details about the specific law or guidance concerned.
To protect vital interests
This will only apply to organisations who are required to process data to protect someone’s life. For example, if you are providing emergency medical care. Even in these cases, if the individual is capable of providing consent, then it must be sought.
Public interest or official duty
This lawful basis allows you to process personal data if the task is in the public interest, or if you are required to perform a function that has a clear basis in law.
What Constitutes Personal Data?
Offering greater protection for personal data lies at the heart of the new regulation, so you firstly need to understand what constitutes personal data under GDPR. As the processing of any personal data falls under its remit, organisations operating a B2B, B2C or business-to-employee models will all have the same obligations.
What is classed as personal data?
- Identifying information – This includes any information that can be used to identify a person (either directly or indirectly), including name, identification number, email address, bank details and an IP address, etc.
- Sensitive personal information – This includes genetic data, or information around health, sex life, sexual orientation, religious & political views, mental, physiological, economic, cultural or social identities. Basically, anything that could put someone at risk of unlawful discrimination.
Resources from this section:
What can Lead Forensics do for your business?
Imagine if you could take control of your lead generation activity and convert sales-ready prospects, before your competitors even get close? Lead Forensics is the software that reveals the identity of your anonymous website visitors, and turns them into actionable sales-ready leads. In real-time.
Lead Forensics can:
- Tell you who is visiting your website
- Provide highly valuable contact information including telephone numbers and email addresses
- Give insight into what each visitor has looked at, as well as where they came from.
Take a look for yourself with a free, no obligation trial – you can get started today!