Following on from your data inventory exercise last month (click here if you missed the last update), you should now have a clear understanding and record of the personal data processed by your organisation.
Your next step is to review your organisation’s legal bases for processing that data (for example consent, performance of a contract or legitimate interests) and consider whether any of these bases will need to change under GDPR.
Two of the most frequently used grounds for processing; consent and legitimate interests will see the greatest change under GDPR.
Legitimate interests tends to be used as a catch all legal basis for processing, applied if the processing activity is not covered by one of the other legal bases. It involves a balancing of the rights and freedoms of the data subject against the needs of the controller. Much will depend on what the data subject was told at the time they provided the personal data and what their expectations are in respect of the data.
For public authorities however, under GDPR legitimate interests will no longer be available where the processing is carried out in the performance of the public authority's tasks. In addition, the rights and freedoms of children are given greater weight under the GDPR meaning that a child’s interests may well override those of your organisation.
The GDPR sets a high standard for consent. Consent must be “freely given, specific, informed and unambiguous”. Organisations will no longer be able to rely on consent as a legal basis for processing personal data where there is an imbalance in the relationship with the data subject. This will make it difficult to rely on consent in the context of public authorities/individuals and employer/employee. In addition, recent draft ICO guidance on the use of consent suggests that consent should only be used as a last resort where no other legal basis is applicable, and will not be valid when another legal basis can be relied upon. This represent a significant shift in the approach to using consent for personal data processing.
If you would like any further information about the GDPR and how it might affect your organisation, please download our Geldards Guide or if you would like to discuss how Geldards can help with training on the GDPR, please do not hesitate to contact our Information Law Team.
INFORMATION LAW >>GELDARDS GUIDE TO GDPR >> EMPLOYMENT >>