Article 6 of the General Data Protection Regulation covers the lawfulness of processing data. Now the ICO has produced an online tool to help you decide which basis, if any, you can use.
How does the ICO legal basis tool work?
Much like the Information Commissioner’s Office GDPR Self Assessment, (which we thoroughly recommend if you’re starting out), the lawful basis interactive guidance tool takes you through a series of questions about the data subject and your situation.
What are the lawful bases for processing personal data?
Each time you plan to process personal data, your organisation needs to make sure that the reason you are doing so is either consent, contract, legal obligation, vital interest, public interest or legitimate interest.
How does lawful basis affect the rights of individuals?
Certain lawful basis’ determine the amount of control the data subject can retail over the data, as illustrated in this chart:
How do you demonstrate your legal basis decision making process?
Article 5(2) of the GDPR says that you must be able to demonstrate that the basis you choose applies to the data you are processing. Additionally, you need to be able to describe and demonstrate the process you took to make that decision. An information security management system makes documenting this, and clearly categorising the data, a breeze.
Documentation is a big part of GDPR, as well as being one of the biggest changes to the Data Protection Act as we know it. We’ve sought to solve that task with our Personal Data Inventory & Records Processing Tracker available in the ISMS.online platform.
Document and categorise the personal data that your organisation holds… (click on the image below to expand)
Then select the lawful basis you are using to process the personal data…
Related posts
Need an efficient way to manage and categorise the personal data you store?
ISMS.online features a Personal Data Inventory & Records Processing Tracker to help you do just that.
Not ready to get started? Subscribe to receive more articles like this.
The information in this blog is for general guidance and does not constitute legal advice.
