The GDPR (General Data Protection Regulation) is designed to overhaul and modernise current data protection laws. The processing of personal data is to be strictly regulated and provide data subjects with more control over their data.
Under the GDPR you must have a valid lawful basis in order to process personal data. This will mean that not only must you provide a basis for newly collected data, but also audit all data you have collected in the past. The lawful basis also assumes that collection of the data is necessary. If it is not, and the activity can proceed without the collection of the data, then the lawful basis won’t stand.
Once you have determined your lawful basis, you must document this, and if you do not have a lawful reason, then this data must be deleted.
What are the lawful bases for processing?
The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
As part of your data audit, you need to identify all the individual types of data you hold, and document not only your lawful basis for holding the data, but also your retention period and when the data must be deleted.
Contact the team at Point Progress to find out about i-Comply-GDPR; the software solution which will help manage your data protection responsibilities.