Many people think that consent is the only proper legal basis for processing personal data, but this is not the case. A legal basis could also be legitimate interest or a contract. But how much knowledge about different kind of legal bases can you expect from your employees? This blog post takes you through the topic of the legal basis for processing personal data and gives you examples of what your employees should know and do in their daily work life when they stumble upon challenges where they process personal data.
Regardless of size and type, almost all organizations are processing personal data in one way or another. This is because personal data is everywhere and can be anything from a name, address, hair colour, internet browsing history, or political views. Basically, anything that can lead to a specific person.
This means that there are a lot of touchpoints where your organization might need to process personal data. Remember that it is your organization that is the data controller, and you need to make sure that you have a legal basis for processing personal data in every situation.
You might have implemented good practices in your organization to comply with various privacy and data protection rules and regulations, such as the GDPR. Your lawyers might have knowledge about data processing laws, and you might even have trained your employees in dealing with personal data.
However, even though your team is trained in complying with GDPR in their routine daily work, it often happens that your team is in doubt about how they should handle personal data in unfamiliar situations.
Personal data comes in contact with most people behind the computer, and your organization probably secured a legal basis for processing it. This is usually the case for routine tasks, such as getting consent from customers to sign up to your newsletter or making sure that you have a legal basis for processing necessary personal data about your employees through their employment contracts.
And that is great, but…
This usually only applies to the people on the team who are processing personal data as part of their routine tasks. They are used to it and they know what to do. However, since personal data is everywhere, new situations where someone needs to process personal data occur all the time and they might not know how to obtain a legal basis or that they even should in the first place.
As mentioned, the problem often occurs when your team members find themselves in new and unfamiliar situations. This could be for instance when they have a new idea about a project or when an employee is dealing with a task that is a once-off initiative.
For example, say that your organization wants to host a Christmas party for the team and would like to invite their families as well. One of your employees gets tasked with organizing the event. This person then, must gather information regarding who will attend the event with their families, their names, and if they have any dietary restrictions. There is a lot of personal data processing involved here and as the data controller, your organization must assure that there is a legal basis for doing so.
Other examples of unfamiliar situations could be:
Online talent pool: Your HR department wants to create a new talent pool, where candidates interested in working for your company can register their CVs, and the HR department can then send relevant job openings to them in the future. Your HR department thinks that this a great idea to see who is interested in your company, and to have a pool of possible candidates when there are new openings.
Instagram competition: Your marketing department came up with a great idea to boost your online presence. To get as much interaction as possible, they want to host a raffle competition on Instagram. All customers have to do is to like your post and write down what they like most about your products as a comment, and at the end of the month you will draw a winner who will get a voucher from your company.
Supplier contacts: Your organization is growing, and there is now more than one person in your organization who is responsible to have contact with your suppliers. To make it easier to see who your contact person is for each of your suppliers, you decide to create a shared Excel file which lists your suppliers, the contact person in each supplier with their title, e-mail address and phone number.
As the examples show, it is not only the legal department of your organization that must consider the legal basis for processing personal data. Most of your team will have to process personal data and it is crucial that there is a legal basis for that.
One type of a legal basis for processing personal data that everyone is probably aware of is consent. When you are registering to an online newsletter on a website, you are asked to accept that the company can process and save your personal data, such as your e-mail address and name. You normally give this consent by ticking a box that explicitly states that you accept that the website can process your information.
We are all very familiar with giving consent for processing personal data. However, a consent is only one among many types of legal basis for processing personal data. In the following, we present some types of legal grounds for processing personal data, alongside with some examples.
These are just some among many types of legal basis for processing personal data. Which type to use where, is dependent on the specific situation, and there is no single best type or a one-size–fits all type of thinking. Therefore, it is up to your organization to figure out the legal basis depending on the specific context.
Even though most team members are processing data, it is enough that they are aware of the legal basis and that they are confident that they are relying on the rules. This does not everybody should be an expert in GDPR and other legislation. The point is that you need to create awareness among your employees that legal basis for processing personal data might be something they need to consider, especially in new and unfamiliar situations.
For instance, if we think back to the example about organizing a Christmas party, the employee who is tasked with organizing the event could consult the Data Protection Officer (DPO) in your organization on how to proceed. The legal basis for such processing might be considered a legitimate interest, as your employees are aware of who is gathering the information and what it will be used for. However, your DPO might also give some useful advice to the person responsible for the event, such as how to save the data and how to delete it afterwards.
In short, it is your lawyers, legal department, or DPO that who should be responsible for figuring out the legal basis for processing personal data. It is them who should do the legal preparations for obtaining the legal basis, not the regular employees themselves.
However, your team must be aware that they might need a legal basis and they must be able to approach the legal team if they are in doubt. Your job in this context should be to create awareness among your employees and assure that they have someone they can seek advice from regarding legal grounds.
In summary, there are many touchpoints where your employees might need to process personal data and you must ensure that there is a legal basis for doing so. Personal data is everywhere and so is the need to process it. Whether it is about your team, your customers, suppliers or anyone else that interacts with your organization, there must be a legal basis to process personal data. You cannot expect your team to become experts in GDPR, but you can ensure that the legal basis is taken care of by creating awareness among your employees to consult the responsible person or department in the organization when they are in doubt. This means that your number one priority here is to create awareness among your employees, and make sure that there is a person or department that your employees can consult.
Join our 2000+ subscribers and sign up for our newsletter. You will receive inspiration, tools and stories about good cyber security practice directly in your inbox. Our newsletter is sent out approximately once a month.