COMMUNICA | Issue Five
Not knowing why you have it
Personal data can only be processed if there is a
lawful basis for doing so.
There are only six lawful bases – consent;
performance of a contract; compliance with a legal
obligation; performance of a public function (if you
are a public authority); protecting the vital interests
of the data subject; or if you have another “legitimate
interest” (a wide category that can cover most of the
things that a business may want to do to promote or
protect itself).
Whilst these lawful bases have been around since
1998, many organisations are just beginning to
focus on why they process certain types of data.
Answering this question is a really important part of
becoming GDPR compliant, because you have to tell
others why you process it.
Not being transparent about data usage
GDPR proceeds on the philosophy that our personal
information belongs to us.
We may allow organisations to use that information,
but we are entitled to be told what they are
processing and why they are processing it.
This obligation to explain what organisations do with
personal data goes much further than the template
privacy policies on websites that we all ignore. A
properly compliant privacy notice needs careful
crafting.
It is self evident that, if an organisation does not
know what it processes, and why, then it cannot
explain that to the data subject.
This is one reason why it is so important to
understand how your organisation uses data.
The privacy information notices that we are now
expected to issue need to be detailed, and genuinely
reflect what we do with data.
They need to set out the lawful basis for processing
and the rights that all data subjects have.
Accuracy is important, but can only be achieved if
you have audited your data in the first place, and
established the lawful basis for that processing.
Not understanding who you are sharing
data with
Organisations need to share data: payroll data with
HMRC; claims-related data with insurers; credit card
48 |
details with financial processors; delivery addresses
with logistics companies.
Do we have a good reason (a lawful basis) for
sharing this data?
How safe will the recipient keep it? Data is extremely
easy to share, but it is our responsibility to share
responsibly.
Even if we have a good reason for sharing, are we
satisfied that the recipient will keep it safe?
Are we satisfied that they will only use it for the
purposes for which we have provided it to them?
GDPR makes this our responsibility, and we have
to have in place a proper audit trail justifying the
decisions that we have taken.
Modern technology has also made it easy for us
to use third party vendors for various processing
activities: our accountant processes our payroll;
Amazon hosts our data processing in the Cloud; our
vehicles are fitted with trackers which are monitored
by a third party.
“Data is extremely easy
to share, but it is our
responsibility to share
responsibly”