GDPR - Legal Basis for Processing and Transparency
Welcome back to our series of blogs looking at the upcoming General Data Protection Regulation (GDPR). It’s less than six months until 25 May 2018 and it’s time to start getting into the nitty gritty of your preparation. One of the best places to start is with your organisation’s purpose for processing personal data.
The current Data Protection Act 1998 (DPA) established specific conditions or purposes for processing and these can be found in Schedules 2 and 3 of the Act. If you are processing sensitive personal data you must have a condition from both Schedules however if you are processing non-sensitive data you only need a condition from Schedule 2.
Under the GDPR and the new Data Protection Bill presently going through the UK Parliament, these conditions will persist.
However, under the GDPR they are no longer referred as ‘conditions’ they become legal bases for processing. The GDPR equivalent of Schedules 2 and 3 are found in Articles 6 and 9 respectively. For legal bases not explicitly set out in the GDPR, the Data Protection Bill provides equivalents.
If that’s all that’s changed, what’s the big deal?
The big deal is the accountability principle which requires organisations to document their legal bases for processing information as part of their evidence of compliance.
Theoretically, this should be simple, but many organisations are finding that what they originally thought was their scheduled condition for processing under the DPA was not identified properly at the time or has changed. So it’s important to establish the correct legal bases for processing to ensure compliance with the new regulations.
It’s important because your legal bases for processing dictate what rights an individual has over their personal data. In particular, consent gives individuals much more control over their data and it’s uses than they have currently.
What does this have to do with transparency?
People have the right to be informed regarding the use of their personal data so organisations must be transparent about how and why they are using personal information. This is typically done through a data processing notice, or privacy notice, although it can also be done verbally for example when taking personal information over the phone.
Article 13 of the GDPR sets out what information an organisation must include in its privacy notice which includes its legal bases for processing personal data.
There’s a handy checklist to help you identify what needs to be included in the Right to be Informed section of our website. We also have a Privacy Notices Code of Practice which has been updated for the GDPR.
Is that all we need to do?
Not quite. The GDPR also sets out that any communications, including privacy notices, must be:
- concise, transparent, intelligible and easily accessible;
- written in clear and plain language, particularly if addressed to a child; and
- provided free of charge.
As an organisation you need to think about who your audience is as you create your notice. For example, if you regularly work with non-English speakers or visually impaired individuals you may consider producing the notice in formats they will understand.
In my next blog I’ll remove the mystery around the accountability principle. Until then you can subscribe to the ICO’s monthly e-newsletter, and take a look at our newly published Guide to the GDPR.