With the General Data Protection Regulation (GDPR) due to come into force within a matter of weeks rather than months, organisations will hopefully have at least started their data protection compliance projects. As part of this process, organisations should be determining the purpose of each of their data processing activities and assigning one "lawful basis of processing" to each such purpose.
There are six categories of lawful basis for all processing activities (very similar to the current Data Protection Act 1998) set out in Article 6 of the GDPR, summarised as follows:
• Consent of the individual (data subject);
• Necessary for the performance of a contract with a data subject;
• Necessary for compliance with a legal obligation;
• Necessary in order to protect the vital interests of a natural person;
• Necessary for the performance of a public interest task; or
• Necessary for the purposes of the legitimate interests of the organisation (controller) or a third party, subject to the overriding interests or rights of the data subject.
Processing of special categories of personal data and data relating to criminal convictions (currently still referred to as "sensitive personal data") must comply with one of ten additional lawful bases set out in Article 9 of the GDPR.
After attempting to allocate one of these six lawful bases under Article 6 of the GDPR to every single processing purpose, many people will be thinking "Why can't we base everything on the consent of the data subject and be done with it? Do we even need a lawful basis? Cosmically speaking, what does it matter?"
Cosmically, it probably doesn't matter, but under the GDPR, the allocation of a lawful basis is required in order to comply with the first data protection principle of "lawfulness, fairness and transparency" (Article 5(1)(a) of the GDPR) and in order to comply with the obligation to inform affected data subjects of the processing of their personal data (Articles 13 and 14 of the GDPR). A failure to do so could lead to a claim of unlawful processing of personal data, with all of the dire consequences of fines which have been the focus of much media attention.
Getting the lawful basis right is also important because of the effect the choice of lawful basis has on the rights of the data subjects. While the rights to information, to access and to rectification are unaffected by the lawful basis of processing, the right to object to processing only applies where the processing is based on the public interest or legitimate interests bases or where the processing consists of direct marketing. The right to be forgotten generally only applies where the processing was unlawful or where it was based on the consent of the data subject (and such consent was withdrawn) or where it was based on the legitimate interests of the controller (and the data subject objected to such processing). Consent must be freely given and therefore can be withdrawn by the data subject at any moment, at which point the processing activities must cease. These are just some examples of the interaction between the lawful basis of processing and the rights of the data subject, to demonstrate the complexity around the choice of lawful basis of processing of personal data.