The GDPR Lawful Bases for Processing and Data Subject Rights

Practical tips on meeting your legal obligations without hampering your data processing activities

In a previous interview about practical GDPR (General Data Protection Regulation) compliance, head of consultancy Louise Brooks explained:

Organisations tend to see the GDPR as prescriptive. This stems from misunderstandings around how the Regulation actually works:

1. The UK GDPR is principles-based, so it doesn’t have a prescribed list of dos and don’ts.
2. The Regulation is risk-based – you need to take proportionate action only.

An organisation should always strive for compliance, but where the risks are higher, you should implement a higher level of compliance to mitigate those risks. You may also be subject to more stringent requirements – conducting a DPIA [data protection impact assessment], for example, and possibly appointing a DPO [data protection officer].

The bigger point to understand is that the GDPR provides a framework rather than a stringent set of requirements. Organisations must implement that framework in a way appropriate to the context of their business, but we’ve seen clients struggle with that concept.

With this in mind, I want to get Louise’s thoughts on a big GDPR topic: consent.

We also discuss the other lawful bases for processing under the UK GDPR, when to rely on consent over alternative lawful bases, and the rights of data subjects under the GDPR.

About Louise Brooks

Louise started her career in law, practising as a solicitor before becoming the first compliance officer for WWF (pandas, not wrestling!), and then joining the RSPCA as head of data protection.

Now, as our head of consultancy, Louise advises organisations on the GDPR, the PECR (Privacy and Electronic Communications Regulations) and other data protection laws, helping them fulfil their privacy obligations while continuing to meet their business objectives.

Practical GDPR compliance aside, we’ve previously interviewed Louise about the ICO’s (Information Commissioner’s Office) ultimatum on cookies, how to meet the cookie requirements, and how to legally monitor staff.

In this interview

Consent is one of those topics that crops up a lot with the GDPR. Is that justified?

The big thing to remember is that consent is just one of six lawful bases for processing. You can justify the personal data processing for reasons besides consent.

So, organisations must make sure that consent is the most appropriate lawful basis to apply to the purpose for processing. Too often, organisations jump to consent when they’ve got five other lawful bases to consider.

What are the six lawful bases for processing?

1. Contract – if personal data is crucial to the contract, you can’t deliver that contract without processing the data. You can also rely on this to potentially enter a contract – because you’re providing a quote, for example.

2. Legal obligation – you can’t comply with a legal obligation without processing the data. This lawful basis is often used in employer–employee relationships, particularly in HR and employee relations.

3. Vital interests – you need to process the data to protect someone’s life.

4. Public task – assuming you’re an organisation exercising official authority or performing tasks in the public interest, you can’t complete the task without processing the data.

5. Legitimate interests – the processing is necessary to pursue a legitimate interest of the controller or a third party. But those interests must not be overridden by the data subject’s interests, rights or freedoms. You can use the LIA template [legitimate interests assessment] from the ICO to help determine whether you can rely on this lawful basis.

6. Consent. I’m deliberately covering this lawful basis last, because you only use it when you can’t rely on any of the other five bases.

What are the drawbacks of consent vs the other lawful bases?

First, getting the lawful basis right from the outset is important. You’ll have a hard time changing lawful basis after you’ve started processing. In fact, changing lawful basis is rarely possible.

With that in mind, if you rely on consent, remember that data subjects have the right to withdraw their consent at any time. If that happens, you must stop any processing relying on that consent immediately.

You’ll have to factor this into your processes, procedures, mechanisms and other measures supporting that processing activity you’re carrying out based on consent. You’ll also want to think about how to minimise the resulting business disruption.

What are the other conditions for consent?

The consent request to data subjects needs to:

  • Be clear, concise and granular;
  • Use easy-to-understand language;
  • Be separate from other terms and conditions;
  • Require a positive action to indicate the person’s consent – ticking a box, for example; and
  • Include information about:
    • What you’ll use their personal data for;
    • Where they can go for further information; and
    • How they change their preferences in the future.

Once you’ve established how you’ll achieve all this, you must then decide how you’ll document the consent for accountability purposes.

How can organisations document consent to demonstrate accountability?

You could document it via a consent management tool or a CRM [customer relationship management] software. Whatever you choose, it needs to be a practical solution that works for your organisation.

Consent doesn’t have a shelf life, but organisations should be aware that it likely degrades over time. So, give some thought to the triggers and mechanisms that will either refresh the consent or require the organisation to update it with the data subject.

For example, an organisation could ask individuals to reconsent after a determined period – say, two years – but it could equally rely on positive interactions with individuals – such as opening an email or responding to a call to action – to demonstrate the consent is still valid. Or it could do a combination of those two things.

Either way, the organisation must understand what it considers appropriate based on the personal data processed, the processing activities and the relationship it has with the individuals, particularly in respect of their rights under data protection law.

Want to get our latest interviews and resources straight to your inbox?
Subscribe to our free bi-monthly newsletter!

Data subjects don’t just have the right to withdraw consent at any time; they have various other rights. Could you talk me through them?

Of course! In total, the GDPR lays out eight data subject rights:

1. The right to be informed

Data controllers must inform data subjects about:

  • What personal data they’re collecting; and
  • How they’ll use that data.

Often, they provide this information via a privacy notice.

2. The right of access

Data subjects may request access to their data. This tends to happen via a DSAR [data subject access request], which controllers must accommodate within onemonth and without charge.

3. The right to rectification

Data subjects may request a correction to their data, or that you complete incomplete data.

4. The right to erasure (‘the right to be forgotten’)

In certain circumstances [so, this isn’t an absolute right], data subjects may ask you to stop processing and delete their data. One of those circumstances is when you relied on consent to carry out the processing.

5. The right to restrict processing

This right isn’t absolute, but circumstances exist where individuals may request you pause processing. If this right is exercised, you may continue to store the data until the matter has been resolved.

Someone may exercise this right when, for example, contesting the accuracy of the data you hold on them. In fact, pausing the processing is a good practice in such a circumstance, even if the individual didn’t explicitly request you to do so.

6. The right to data portability

Where you rely on consent, and have automated the processing, data subjects have the right to obtain their data in a “structured, commonly used and machine-readable format” [quote from Article 20 of the GDPR].

Data subjects might ask for this to transfer their data to another data controller.

7. The right to object

Data subjects may, under certain circumstances, object to you processing their data. When you process the data for direct marketing purposes, this is an absolute right.

In other circumstances, you don’t need to stop processing if you can show good, legitimate grounds to continue it. However, you must provide this justification to the data subject within one month of receiving their objection.

8. Rights in relation to automated decision-making, including profiling

You’re not permitted to conduct fully automated processing activities if they lead to decisions with legal or similarly significant consequences for the data subject.

That said, you can do this if:

  • The processing is necessary to enter into a contract with the data subject;
  • The processing is required or authorised by law; and/or
  • The person has explicitly consented to the processing.

If any of these exemptions apply, you must inform data subjects about the processing, enable them to easily request human intervention or challenge a decision, and regularly review your systems to make sure they work as intended.

These rights will likely become increasingly important to bear in mind as more organisations deploy AI systems to process personal data.

How can organisations best accommodate data subjects exercising their rights?

Start by understanding how the rights apply to your processing activities. As discussed earlier, only one right is absolute – the right to object to direct marketing – so you may not have to comply with all the requests you receive.

That said, you must respond to all requests within one month of receipt, so if you’re unable to accommodate the request, you have to explain why not.

To meet that timeline, having good processes and procedures in place is invaluable. You should also give staff training, so everyone recognises a your organisation should respond to a request.

Finally, organisations will need to delegate the responsibility for complying with requests. This is important to ensure continuity and consistency in the application of your policies and procedures, and to establish internal accountability for compliance. You might nominate an internal individual or team for this. Equally, you might find it more cost-effective to outsource.

Unsure if your staff are ready to accommodate data subject rights requests?

If you’re looking for reassurance that your processes are working properly, including that your systems are managing consent in compliance with the UK GDPR, we can help.

Our Data Subject Rights Testing service can test all data subject rights, including the:

  • Right of access;
  • Right to erasure; and
  • Right to rectification.

We can also test consent management or account preference management.

At the end of each testing project, we’ll provide a detailed report, outlining information about:

  • Each individual dummy profile;
  • Which rights we tested; and
  • The outcomes of each test.

We hope you enjoyed this edition of our ‘Expert Insight’ series. We’ll be back soon, chatting to another expert within GRC International Group.

In the meantime, why not check out our previous interview with Louise on practical GDPR compliance? Alternatively, explore our full index of interviews here.

If you’d like to get our latest interviews and resources straight to your inbox, subscribe to our free bi-monthly newsletter.


Add a Comment

Your email address will not be published. Required fields are marked *