The Information Commissioner’s Office (ICO) has expanded their guidance on the ‘Lawful Basis for Processing’ section of the General Data Protection Regulation (GDPR).
‘Lawful Basis for Processing’ provides information on how personal data should be processed and how consent should be obtained – if indeed you are required to obtain consent at all.
Let’s take a look at the updated guidance on the GDPR published by the ICO.
Article 6(1)(f) of the GDPR states that you can legally process data without obtaining consent using legitimate interest. This is how the ICO describes its use under the GDPR:
“The GDPR specifically mentions use of client or employee data, marketing, fraud prevention, intra-group transfers, or IT security as potential legitimate interests, but this is not an exhaustive list. It also says that you have a legitimate interest in disclosing information about possible criminal acts or security threats to the authorities.”
The ICO goes on to say that the processing of data must be a targeted and proportionate way of achieving your purpose. Meaning that you cannot rely on legitimate interests if there is another reasonable and less intrusive way to achieve the same result.”
What additions have been made to the legitimate interest basis?
The ICO says that the lawful basis for legitimate interest is “essentially” the same as the Schedule 2 condition in the Data Protection Act (DPA) 1998.
The changes made mainly concern:
It helps drive our behaviour in a positive way that works for us
& our culture.
If you don’t use ISMS.online, you’re making your life more difficult than it needs to be!
The need for documenting your decision-making process is probably the biggest change to the current Data Protection Act. The evidence and audit trail you keep, like in an information security management system, will allow you to easily demonstrate your compliance.
Legitimate interest can include processing data without obtaining consent if it is considered to have a wider benefit to society.
More weight has been given to protecting this data. In addition, under the GDPR, public authorities will be more limited when it comes to legitimate interest, where the ‘Public Task’ legal basis should be considered.
The Information Commissioner’s Office describes special category data as that which is particularly sensitive, and could pose “more significant risks to a person’s fundamental rights and freedoms.” This means that it requires more protection. The ICO lists the following as examples of special category data.
ISMS.online will save you time and money towards ISO 27001 certification and make it simple to maintain.
Information Security Manager, Honeysuckle Health
In addition to the current Data Protection Act 1998, genetic and biometric data has now been added to the new regulation. Genetic data relates to inherited or acquired genetic characteristics. This information will give an indication of the health and physiology of an individual and the information resulting from that is what we refer to as biometric data.
In addition, the special category data section no longer includes personal data processed on criminal offences and convictions – this is now covered separately in Article 10, Criminal Offence Data.
Criminal offence data includes, but is not limited to, information on offences, allegations, proceedings, convictions and related security measures.
“Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.”
Article 10 of the GDPR states that you can only “keep a comprehensive register of criminal convictions if you are doing so under the control of official authority.”
Also, as mentioned earlier, criminal offence data has been moved out of the special category data section.
With more updates still to come on the GDPR, stay tuned to get the lowdown on announcements from the Information Commissioner’s Office.
Download your free guide
to streamlining your Infosec
100% of our users achieve ISO 27001 certification first time