New UK GDPR & Data Protection Documents
The UK GDPR sets out a range of principles, obligations, and rights concerning the collection, holding, and processing of personal data. The first of the data protection principles set out in the UK GDPR is that of lawfulness, fairness, and transparency. This lawfulness element of this principle requires that you establish a lawful basis for processing personal data before you begin.
Article 6 of the UK GDPR directly addresses lawfulness, and this article provides several different lawful bases to choose from. The most flexible of these bases (while none is inherently better than another) is “legitimate interests”.
Your choice of lawful basis will depend on the purpose or purposes for which you wish to process personal data and your relationship with the individual data subjects concerned. Nonetheless, the legitimate interests basis is flexible and has become widely-used by businesses as the justification for their personal data processing.
New Legitimate Interests Guidance Notes
New guidance notes are available which explain the legitimate interests lawful basis in detail, explaining what the basis is and how to apply it practically, asking what your legitimate interest is, whether the processing you are proposing is necessary for your chosen purposes, and whether there is a reasonable balance between your interests in processing the personal data and the interests, rights, and freedoms of individuals.
New Legitimate Interests Assessment
A three-part test, derived from Article 6(1)(f) of the UK GDPR, can help to determine whether or not legitimate interests is a suitable lawful basis for processing personal data. The new Legitimate Interests Assessment template expands on each of the three core questions with a set of sub-questions designed to help answer each part of the test. A complete set of answers will assist in determining whether legitimate interests is suitable for the purposes that you have in mind or whether an alternative lawful basis may be necessary. In some cases, risks might be identified that signal the need to carry out a more detailed Data Protection Impact Assessment.
New Data Protection Impact Assessment Screening Checklist
Data Protection Impact Assessments are an important part of data protection compliance, particularly the data protection by design and default approach advocated by the UK's data protection legislation. When a project is likely to result in a high risk to the individuals whose personal data will ultimately be involved, the law requires that you carry out a DPIA.
A DPIA helps you to identify and minimise the risks associated with personal data and data protection in your project. Not only should you identify the risks themselves, but also the likelihood and severity of them.
The new Data Protection Impact Assessment Screening Checklist is a template designed to help you decide whether or not a DPIA is necessary. This document may be used in the course of carrying out a Legitimate Interests Assessment or in other scenarios where proposed personal data processing poses a high risk to individuals, whatever lawful basis is chosen.
The contents of this Newsletter are for reference purposes only and do not constitute legal advice. Independent legal advice should be sought in relation to any specific legal matter.