An analogy to explain how lawful basis for processing personal data works.
Here is a labyrinth. In the centre is your objective – your specific purpose, achieved by fair lawful and transparent processing of a set of personal data.
There are 6 doors to the labyrinth, but only one of them leads onto the right path for getting you to your objective. These doors are the lawful bases for processing. If you choose the right door, you’re on the right path. If you choose the wrong door, you will never make it to the centre.
The lawful basis doors are:
· Consent – informed, freely-given, specific, unambiguous, evidenced
· Contract – the terms of a contract between you and the data subject cannot be fulfilled unless this particular processing takes place | you can’t negotiate or take steps to enter into a contract with the data subject unless this particular processing takes place
· Legal obligation – unless you process this data in this way, your organisation will be unable to fulfil an obligation which is required of it by law
· Vital interests – someone may suffer life-threatening harm unless the processing takes place
· Public task/interest – your organisation is a public authority and needs to do this processing in order to carry out its statutory duties | your organisation will be unable to fulfil a task carried out in the public interest
· Legitimate interests – the processing is needed in order to do something that will benefit someone in a way that doesn’t undermine the data subject’s rights and freedoms, or break any other laws
Now, if you’ve articulated your processing activities and defined your purpose(s) carefully, you should only be able to fit through one of the doors, and that will therefore be the correct one. Usually the door you should choose is obvious (if you’ve done your homework), but sometimes you’ll end up having to make a choice between two, or three at the most. You can only go through one door at a time, and once you’re inside, you can’t switch paths, only exit and start again.
It may be tempting to go straight through the first door because it’s nearest and looks easiest – but this is actually a very bad idea. Unless it’s the right door, you won’t be able to reach the end of the maze (your objective – fair and lawful processing to achieve a particular purpose). So you need to be careful to set off from the right door or you’ll be in a pickle later on.
The lawful bases for processing personal data are set out in Article 6 of the GDPR. If a purpose requires you to process special category personal data; that is, personal data relating to health, ethnicity, sex life, religion or faith, political opinions, trade union membership, genetics, biometrics for identification purposes or criminal records*, then you’ll need to get through two labyrinths, which means you need to pick the right door from Article 9.2 as well.
(*Not actually one of the special categories as defined by the GDPR [see Article 10] – however, treated as essentially the same thing under the UK Data Protection Act 2018, which incorporates the GDPR into Brexit UK’s domestic law.)
And that’s what it’s all about.
If you found this piece helpful, please consider subscribing to my Mythbusting tier, where I’ll soon be publishing more posts about choosing and applying the individual lawful bases.
Thanks for reading!