Network Trace
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

07) Has your organisation defined and documented the lawful basis of each instance of personal data collection or processing?

August 30, 2022
Valid Lawful Basis

Answer yes if your organisation has documented the legal justification for processing personal data in each instance. The criteria for a valid lawful basis will depend on your jurisdiction.

The requirement to document the lawful basis for data collection and processing depends on the applicable data protection and privacy laws in the national or regional location where the data originates.

Most lawful bases require that processing is ‘necessary’ for a specific purpose. If you can reasonably achieve the same purpose without the processing, you won’t have a lawful basis.

You should determine your lawful basis before you begin processing, and you should document it.

The requirement for a lawful basis provides assurance that the legal protective requirements are understood and that there is commitment to apply the requirements as described in each case for activities involving data collection and processing.

How to implement the control

Describing and documenting the lawful basis will differ depending on the regulations that apply and the specific data processing scenario. For example, when documenting data collected and processed about candidates applying for job roles in your organisation, you could describe:

  • the scope and nature of personal data collected (contact details, work history, etc.)
  • the use of that data (contact each person about the application, assessing their suitability for the role applied for, etc.)
  • the lawful basis for doing this collection and processing (’We conduct this processing on the basis of our legitimate interest in finding and selecting the most suitable candidates to join our team…’) based on the legislation applied in the country of origin or operation.
  • how the data is reasonably protected (need-to-know access, storage and retention periods, secure deletion when no longer required, etc.)

The Information Commissioner's Office in the UK have published a useful guide on applying the lawful basis in relation to the UK GDPR. Whilst this is UK focussed, it may also provide useful information for any other organisation based in Europe or working with European businesses.

If you would like to contribute to this article or provide feedback, please email Contributors will be recognised on our contributors page.

Pattern Trapezoid Mesh

Defend against supply chain attacks with Defend-As-One.

No organisation is an island.