Before you begin any kind of processing activity, you need to decide which lawful basis applies. It’s important that you think carefully about this as it can be very difficult and time-consuming if it turns out that you’ve made a mistake and need to change your basis once you’ve started processing people’s data.
The GDPR lists 6 lawful reasons for processing data, which are; that you have the consent of the data subject; that processing is necessary for carrying out a contract; that you have a legal obligation to process the data; that processing is necessary to protect somebody’s life; that processing is necessary in order to perform a task which is in the public interest; and, that processing is necessary for your legitimate interests.
Each one of these lawful reasons is considered equal to the others, so you need to find the one which best fits the work you want to do and not aim for one which you think is somehow better than the others. You only need one lawful basis in order to process data in one particular way, if you process data in lots of different ways or if you want to start processing it for different reasons, you’ll need to decide on a new lawful basis for doing so.
If you’re responsible for data protection or managing data processing activities at work, make sure you check out our resource below to give you an in-depth understanding of each lawful basis. Even if you aren't responsible for data protection or managing data processing activities, we highly recommend that you take a look as well - having a lawful basis is essential for GDPR compliance, so it’s crucial that you understand them and what they require you to do.
This resource is in both our GDPR UK: Essentials & Advanced Courses. These courses are ideal for staff who need to follow the rules and policies that are laid out by the GDPR (Essentials) and those who are enforcing, or managing data protection in their workplace (Advanced).
Get started with your free no-obligation trial today!