When you are are evaluating your data processing operations under the GDPR there are 6 conditions of which one must be met in order for you to lawfully process personal data and to inform the Data Subject (DS) at or before you process their data. (Don’t forget that this is not a one stop shop and there may be a different justification for each type of processing that you do that you must present to the DS).
A good point to bear in mind when you are doing any analysis in your organisation whilst determining the basis you want to process data on, is to try and look at it from the perspective of your DS’s; indeed if your organisation has understood the requirements of the role of a Data Protection Officer (DPO) within your organisation, then this should be happening anyway. The DPO represents the interests of the DS in the organisation and takes steer from the Supervisory Authority (SA) not the organisation that they are employed / contracted to; essentially to avoid a conflict of interest situation and to ensure best practise.
So what are the 6 and why do i say stairs? It is a good analogy with the lower levels steps being more risky and at risk of ‘a flood of objections’ and the higher and drier you go the better and you will soon see that not all are created equal and you should be reaching for the stars ….
Step 6 – Consent
Step 5- Performance of a Contract
Step 4 – Compliance
Step 3 – Protection of Vital Interests
Step 2 – Public Interest
Step 1 – Legitimate Interest
I won’t talk about all the steps or in huge detail, as it will often be company / case specific, but will mention the outliers at the top and bottom as the extremes.
(Explicit) consent, not implied, is the holy grail at the top of the pile that is needed for special categories .. present your case clearly, transparently and unambiguously and consent is given freely, then you have done your job well. (Don’t be complacent as think job done though; consent is two way and can / should be able to be withdrawn at any time as easily as is given so ensure that you can handle that and the implications that it does / might bring.)
Now in some processing cases, getting consent is going to be much easier than others (children for example) but if you want to do good by your customers and employees, your DS, then you should do your utmost to get consent.
This is the weakest of the categories for you as a Data Controller to rely on and in essence should be looked at as a fallback option if there is no other you can rely on.
The burden is very much on you to evidence why, and you must:
- Ensure the purpose is a legitimate interest or that of a 3rd party processor.
- Ensure processing is necessary as a legitimate interest or that of a 3rd party processor.
- Ensure DS are informed at the time data is collected of the claimed legitimate interest or that of a 3rd party processor.
- Ensure balance of your legitimate interest or that of a 3rd party processor with that of the DS.
- Ensure that the DS fundamental rights and freedoms are upheld / not compromised as stipulated in the other articles of the regulation.
Public authorities MUST NOT reply on this as a reason for processing
The important thing about any of the above lawful processing choices is that you:
- Document the decision which should really be in the form of a Data Privacy Impact Assessment (DPIA) as to why decisions were made to ensure that you comply with the Accountability principle and should you have to, as part of the Breach process as well when reviewing what went wrong and if processing decisions are key to it.
- Seek Legal, DPO and / or SA steer on your decision prior to relying on it to ensure that again you are getting the best possible steer / guidance, which again will help the accountability aspect.
This is not the whole story as you can probably imagine but it will start you thinking ..