The Information Commissioner’s Office (ICO) has expanded their guidance on the ‘Lawful Basis for Processing’ section of the General Data Protection Regulation (GDPR).
‘Lawful Basis for Processing’ provides information on how personal data should be processed and how consent should be obtained – if indeed you are required to obtain consent at all.
Let’s take a look at the updated guidance on the GDPR published by the ICO.
Legitimate interests under GDPR
Article 6(1)(f) of the GDPR states that you can legally process data without obtaining consent using legitimate interest. This is how the ICO describes its use under the GDPR:
“The GDPR specifically mentions use of client or employee data, marketing, fraud prevention, intra-group transfers, or IT security as potential legitimate interests, but this is not an exhaustive list. It also says that you have a legitimate interest in disclosing information about possible criminal acts or security threats to the authorities.”
The ICO goes on to say that the processing of data must be a targeted and proportionate way of achieving your purpose. Meaning that you cannot rely on legitimate interests if there is another reasonable and less intrusive way to achieve the same result.”
What additions have been made to the legitimate interest basis?
The ICO says that the lawful basis for legitimate interest is “essentially” the same as the Schedule 2 condition in the Data Protection Act (DPA) 1998.
The changes made mainly concern:
- Legitimate interests
- Special category data
- Criminal offence data
Demonstrating GDPR compliance
The need for documenting your decision-making process is probably the biggest change to the current Data Protection Act. The evidence and audit trail you keep, like in an information security management system, will allow you to easily demonstrate your compliance.
Third party interest
Legitimate interest can include processing data without obtaining consent if it is considered to have a wider benefit to society.
Personal data of children
More weight has been given to protecting this data. In addition, under the GDPR, public authorities will be more limited when it comes to legitimate interest, where the ‘Public Task’ legal basis should be considered.
Special Category Data under GDPR
The Information Commissioner’s Office describes special category data as that which is particularly sensitive, and could pose “more significant risks to a person’s fundamental rights and freedoms.” This means that it requires more protection. The ICO lists the following as examples of special category data.
- Ethnic origin
- Trade union membership
- Biometrics – where data is used for ID purposes
- Sex life
- Sexual orientation
What’s changed for special category data under GDPR?
In addition to the current Data Protection Act 1998, genetic and biometric data has now been added to the new regulation. Genetic data relates to inherited or acquired genetic characteristics. This information will give an indication of the health and physiology of an individual and the information resulting from that is what we refer to as biometric data.
In addition, the special category data section no longer includes personal data processed on criminal offences and convictions – this is now covered separately in Article 10, Criminal Offence Data.
Criminal Offence Data and GDPR
Criminal offence data includes, but is not limited to, information on offences, allegations, proceedings, convictions and related security measures.
Article 10 of the GDPR states:
“Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.”
What’s new with criminal offence data?
Article 10 of the GDPR states that you can only “keep a comprehensive register of criminal convictions if you are doing so under the control of official authority.”
Also, as mentioned earlier, criminal offence data has been moved out of the special category data section.
The Evolving GDPR
With more updates still to come on the GDPR, stay tuned to get the lowdown on announcements from the Information Commissioner’s Office.