GDPR Action Plan Part 3

Is it lawful to process personal data the way you do?

In this article, we’ll look at:

  • The 6 ‘lawful grounds’ for processing personal data under the GDPR
  • A focus on consent, contract and legitimate interests
  • Some further resources

Check it out!


In our previous article, we continued our in-depth look at a GDPR action plan by determining what your business currently does in terms of processing personal data. How is it collected, stored, used and transmitted.

In this article, it’s crunch time – because we now need to determine whether what we’re currently doing would be lawful under the GDPR – and if not, what we’ve got to do to resolve that issue.

Remember – under the GDPR, businesses can theoretically be fined up to €40million for serious breaches.

Probably worth reading on.

What makes it lawful?

The GDPR states that it is only lawful to process personal data if one or more of the following situations apply:

  1. Consent: The data subject (the person whose data we’re referring to) has specifically consented;
  2. Under contract: processing is necessary to fulfil a contract that the data subject has asked for;
  3. Legal Obligation: processing is necessary because of a specific legal obligation that you (as the controller of the data) are subject to;
  4. Vital Interests: processing is necessary to protect the vital interests of the data subject or another person;
  5. Public Interest: processing is necessary as part of a task carried out in the public interest, or as part of the official capacity of the controller of the data;
  6. Legitimate Interests: processing is necessary for the purposes of the legitimate interests of the data controller.

Please note: I’m paraphrasing the lawful grounds here, in an attempt at clarity.

For most commercial small businesses, c), d) and e) above are unlikely to apply and we’re going to focus on the most likely lawful grounds: Consent, Under Contract and Legitimate Interests.

But to be clear – in general terms, the more lawful grounds you have to process data in a particular way, the better – so don’t discount the legal obligation, vital interest and public interest grounds if you think they might apply.

So, it’s worth us understanding those three lawful grounds a little better.


Consent is always going to be an important factor to whether you can legitimately process somebody’s personal data.

Because if they say it’s ok, it’s ok – right?

Well, yes and no.

The GDPR makes some fairly fundamental changes to the way we need to think about consent. In particular:

  • You will need to be able to prove that somebody has consented;
  • The consent must be freely given;
  • It must be specific;
  • It must be informed and unambiguous
  • It requires a clear, positive action on behalf of the data subject;

This handful of requirements places some pretty significant hurdles in the way of gaining legitimate consent:

Proof – processes will need to be in place to demonstrate that a person has consented to their data being processed. Could you do that right now? Show that a particular person had consented to a particular thing on a particular date?

Freely given – you can’t force people into ticking an ‘I consent’ box by making it a condition of them taking a particular product or service from you, unless it is genuinely required to deliver that service. For example, it wouldn’t be lawful to require somebody to tick a ‘I agree to my information being entered onto your mailing list’ before they purchase a product or take advantage of an offer.

Specific – because consent has to be specific, it is almost certainly not lawful to try to gain ‘blanket consent’ for all types of data processing. You need to tell people specifically what they are consenting to, and that consent will not extend to any other type of processing. To extend the example above – if you were to collect somebody’s email address in order to reply to their request for a quotation, you couldn’t use that email address to send marketing emails to them without further consent.

Informed and unambiguous – people need to understand what they’re consenting to, so when asking for consent, you need to be painfully clear what you mean, and not attempt to hide the consent in reams of jargon or other unrelated matters.

Positive action – this is a big one – the data subject has to make an ‘affirmative action’ to indicate their consent. In particular, this means that the idea of ‘implied consent’ (e.g. “by continuing to use this website you are deemed to accept our T&Cs”) goes out of the window. They have to tick a box, or otherwise make a positive action to confirm their consent. And you’re not allowed to tick that box for them, either!

So what this all boils down to is this:

You need to provide people with all of the information they need to understand precisely what you’re going to do with their data before they consent. In practical terms, this will usually mean having a very clearly defined Privacy Policy in place that people can see before you ask them to consent. And you need to be able to prove what they have consented to.

But before you start worrying about all of the circumstances in which that’s just not possible, remember that consent is not the only option. You might well have a number of legitimate reasons, under the other lawful grounds, for processing their data – and often, those alternatives might be better.

Let’s look at them now.

‘Under contract’

The actual terminology within the GDPR states that the processing of personal data may be lawful if:

“processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”.

So, if a person approaches your business to enquire about a product or a service that you provide, it is legitimate for you to process their personal data to the extent that is necessary to do what they’ve asked you to do.

If someone purchases an item from your online store, then clearly you need to collect, store and possibly transmit their name and address for the purpose of delivering the item to them.

It doesn’t give you carte blanche to do whatever you like with it, though – so don’t go sticking their email address on a mailing list without some other way of justifying it (most likely, consent).

‘Legitimate Interests of the data controller’

This is an interesting one – as, at first sight, it looks like a reasonably broad definition:

“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

In this case – you, the business that are deciding what data is collected from the individual, are the Data Controller. So, subject to the caveats about fundamental freedoms and data relating to children, the processing may be lawful if it is in your legitimate interest as a business.

There are some clear legitimate uses of this lawful basis such as to prevent fraud or to maintain the security and integrity of a system holding personal data – as those things are clearly in the spirit that the GDPR is trying to encourage.

The regulation itself even goes so far as to say that processing of personal data for direct marketing purposes MAY be regarded as the in the legitimate interest of the business. Only ‘may’, though.

So the ‘legitimate interest’ basis should, I suggest, be used with caution. It is certainly not a general ‘catch all’ for anything that a business wants to do.

Here at Blackbox, we certainly cite the ‘legitimate interest’ ground as a reason why our website may place security related cookies on the user’s device without first asking for their consent. Just use it wisely.

So, what does this all mean?

If we return for a moment to the Personal Data Log that we’ve been slowly creating, we now need to identify – for each and every data input we’ve got listed – which of the 6 lawful grounds for data processing apply.

It might be just one, it might be two or three. But hopefully, it’s not none.

Because if you don’t have a legitimate, lawful reason for processing personal data, then doing so is a breach of the GDPR and you are potentially leaving yourself open to penalties.

You either need to find a lawful basis for doing it (such as introducing a valid consent process), or you need to stop doing it. Now. You would also need to securely dispose of any data that you have collected via this means in the past – because remember – storage is processing.

One final word about Consent

It’s natural to think that consent is the best method of demonstrating that you have a lawful basis for processing someone’s data. And in a lot of cases, that’s probably true.

But. Data obtained via consent is subject to a range of other considerations, including the individual’s right to access the information or even have you delete it. Those same rules do not necessarily apply to data collected under a different lawful basis, such as legitimate interest.

In that situation, a person has a right to object to your processing of their data in that way (and you have a responsibility to consider that objection), but they don’t have quite the same range of rights over it.

So, just because you might seek somebody’s consent to capture certain types of data, make sure that your Privacy Policy also declares your other lawful grounds for processing it.

In some cases, having another lawful ground for collecting data might be a good reason NOT to ask for consent.

Summary, Next Steps & Further Reading

This stage in the process will hopefully have been a bit of an eye-opener, because it is only really now that you start to get a good feel for the impact that being GDPR compliant could have on your business.

You might now have a number of issues that need to be addressed – and whilst that is going to seem like a burden, it is most definitely better to know, and know now.

In our next article, we’ll look at the all important process of developing a plan for your ongoing GDPR compliance, and what your responsibilities are.

GDPR Action Plan – Part 4: Implement a plan for ongoing compliance

In case you’ve missed any of our previous articles, you can check them out here: