Legal basis for processing


Once you have completed a data mapping exercise and applied the Data Protection Principles to your data, organisations are required to demonstrate that they have a lawful basis for processing the data. If no lawful basis exists, then undertaking any processing activities would be unlawful.

There are 6 legal bases on which an organisation may hinge it’s processing activities. These are consent, necessary for a contract, legal obligations, vital interests, public interest and legitimate interests. These are fairly self-explanatory. The two most common of these are consent and legitimate interests.

The requirement for consent has become much stricter than previously, with the data controller/processor needing to provide significantly more detailed information regarding the use of the data prior to obtaining a data subjects consent.

As indicated previously, (see Direct Marketing) this must not be done with the use of pre-ticked boxes and must be capable of withdrawal at any time. It should separate from your terms of business and be written in clear and plain language. It should also give reference to a Privacy

Notice from which the individual can find out how their personal information may be used, with whom it may be shared and their rights under the GDPR’s.

Legitimate interests are usually ordinary honest business practices where the processing of personal data is necessary to conduct your business transactions, such as obtaining financial information whilst selling a product to a customer online. The only requirement here is that these interests must be balanced against the interests of the data subject.

Accordingly, you must look at the impact on the data subject of holding this data, their reasonable expectations as to what you may do with it, the nature of the data held and how it is processed. It is important to demonstrate that additional safeguards have been implemented to limit the risk and consequences of breach here.

If we can assist you or your business in any way, or if you have any questions in relation to the services that we offer, please contact us. We look forward to working with you.

Legal Basis for Processing Checklist

  • Have you reviewed and updated your existing grounds for lawful processing to ensure GDPR compliance?
  • Are you processing any special categories of data and if so, have requirements for processing been met?
  • If consent is relied upon, have your existing consents been reviewed and where necessary, new consents obtained?
  • Can your IT systems deal with an unsubscribe or withdrawal request?
  • If legitimate interest, does your Privacy Notice state the basis of the legitimate interest and describe the additional safeguards taken by you?