07) Has your organisation defined and documented the lawful basis of each instance of personal data collection or processing?
GDPR Valid Lawful Basis
Written by Haydn Brooks
Created on March 18, 2019
Modified on October 12, 2020

Answer yes if your organisation has documented a valid lawful basis in order to process each flow of Personal Data as defined under GDPR.

Under GDPR, you must have a valid lawful basis in order to process personal data. GDPR defines six available lawful bases for processing. No single basis is ’better’ or more important than the others. Most lawful bases require that processing is ‘necessary’ for a specific purpose. If you can reasonably achieve the same purpose without the processing, you won’t have a lawful basis.

You must determine your lawful basis before you begin processing, and you should document it. The ICO have a great guide and an interactive tool to help you.

Take care to get it right first time - you should not swap to a different lawful basis at a later date without good reason. In particular, you cannot usually swap from consent to a different basis.

How to implement the control:
A useful guide on lawful basis was published by the ICO and can be found here.

If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.