How to implement the control:
A useful guide on lawful basis was published by the ICO and can be found here.
Answer yes if your organisation has documented a valid lawful basis in order to process each flow of Personal Data as defined under GDPR.
Under GDPR, you must have a valid lawful basis in order to process personal data. GDPR defines six available lawful bases for processing. No single basis is ’better’ or more important than the others. Most lawful bases require that processing is ‘necessary’ for a specific purpose. If you can reasonably achieve the same purpose without the processing, you won’t have a lawful basis.
You must determine your lawful basis before you begin processing, and you should document it. The ICO have a great guide and an interactive tool to help you.
Take care to get it right first time - you should not swap to a different lawful basis at a later date without good reason. In particular, you cannot usually swap from consent to a different basis.
If you would like to contribute to this article or provide feedback, please email email@example.com. Contributors will be recognised on our contributors page.