What legal grounds do you have?
To hold and process personal data, you need to have and document at least two lawful grounds for doing so. Find out what the lawful reasons for holding personal data might be.
Doing anything with your clients’ personal data which is non sensitive will rely on you having the ‘legal grounds’ to do so. Below are the six allowable legal grounds to consider. No single basis is more important than another:
Necessary for the controller’s legitimate interests – If it’s necessary to use personal information for business purposes
Consent – this has to be given freely (you can’t insist upon it in exchange for a service); it has to be specific to how the data is used ; unambiguous (there’s no doubt that consent has been given); and informed (they need to know how you plan to use it before consent can count)
Necessary to perform a contract – if you’ve been asked to do something and the use of their personal data is necessary
Necessary to compliance of a legal function - if you’re legally required to do something and need the personal data to do it
Necessary to protect vital interests – if it’s in your client’s best interests, such as a medical emergency
Necessary to perform a task in the public interest – this could be sharing information with police, security services, etc.
If satisfied that you meet the requirements of legal grounds, you’ll need to document it and take care to get it right first time around (you won’t be able to swap these around at a later stage without good reason). If the purpose changes, you may continue to process the data under the initial lawful basis, provided the new purpose is compatible with the initial purpose.
If you use any form of e-marketing, it’s worth knowing that similar rules apply under the Privacy and Electronic Communications Regulations (PECR). PECR is intended to restrict unsolicited marketing by phone, fax, email, text, or other electronic message.
There are different rules for different types of communication. For example, you’ll need specific consent to send unsolicited direct marketing. The best way to obtain valid consent is to ask customers to tick opt-in boxes confirming they are happy to receive marketing calls, texts or emails from you.
For more information about PECR go to http://www.ico.org.uk/for-organisations/guide-to-pecr/
Special Categories of Personal Data
If processing someone’s personal data which is of a more sensitive nature (commonly referred to as Special Categories of Personal Data), you also need to satisfy one of the following grounds:
Necessary for employment law
Necessary to protect the subject’s vital interests
Legitimate activity of a non-profit organisation or trade union
Data is already made public by the data subject
Necessary to defend or establish a legal claim
Substantial public interest
Necessary for preventative or occupational medicine
Necessary for public interest in public health
Necessary for archiving in the public interest
Examples of Special Categories of Personal Data include:
Racial or ethnic origin
Religious or philosophical beliefs
Trade union membership
Data concerning health and sexual orientation
Biometric data for unique ID purposes, such as finger prints etc.
Consider your data security
You’ll need to take a risk based approach when considering the appropriate level of security for the personal data you process, including its use, storage and transfer.
What have you got to lose?
GDPR gives the ICO and other regulators, greater powers to take action quickly and forcefully on non-compliance. Depending on what’s gone wrong, you and your business could face a number of challenges.
What to do if you have a breach?
If a breach happens, what do you need to report?