Lawful processing
In order to process personal data lawfully, you must comply with all legal obligations and you must be able to rely on one of the following bases for processing.
Personal Data (Article 6)
a. The data subject has given consent to the processing of their personal data for one or more specific purposes
b. Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
c. Processing is necessary for compliance with a legal obligation to which the controller is subject
d. Processing is necessary in order to protect the vital interests of the data subject or of another natural person
e. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
f. Processing is necessary for the purposes of the legitimate interests condition – this is where you (or a third party) have a legitimate interest in processing the data which is not outweighed by any detriment caused to the data subject
Under the GDPR, consent is the least attractive basis as it can be difficult to maintain; law firms will be relying on one of the other legal bases. Solicitors will need to process the personal data of individuals in order to provide them with legal services under the contract, and may also need to process certain data to comply with legal obligations as a member of a regulated profession and because it is in the legitimate interests of the firm and/or client.
Special Category Data (Article 9)
If you are processing special category data on behalf of your client, you need additional justification from at least one of the following:
a. The data subject has given explicit consent to the processing of this personal data for one or more specified purpose
b. Processing is necessary for employment and social security and social protection law if required to comply with a legal obligation and there is an appropriate policy in place which explains the procedures for securing compliance with the data protection principles and, in particular, explains the employer’s policies on retention periods and erasure of data
c. Processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving consent
d. Certain activities carried out by not-for-profit bodies with a political, philosophical, religious or trade union aim, provided appropriate safeguards are in place and the processing takes place in relation to members or former members who have regular contact in connection with its purposes and the information is not disclosed beyond the organisation
e. The processing relates to personal data which is manifestly made public by the data subject
f. Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity
g. Processing is necessary for reasons of substantial public interest on the basis of EU or UK law which sets out the relevant safeguards, which in the UK cover the following areas: parliamentary, statutory or governmental purposes; equality of opportunity or treatment; preventing or detecting unlawful acts; protecting the public against dishonesty; journalism in connection with unlawful acts or dishonesty; preventing fraud; suspicion of terrorist financing or money laundering; counselling; insurance; third-party data processing for group insurance and insurance on the life of another; occupational pensions; political parties; elected representatives responding to requests; informing elected members about prisoners; and, provided an appropriate policy is in place
h. Processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems if by or under the responsibility of a health professional, social worker or anyone else who owes a duty of confidentiality under an enactment or rule of law and as long as an appropriate policy is in place, or
i. Processing is necessary for reasons of public interest in the area of public health which is carried out under the supervision of a health professional or by another person who owes a duty of confidentiality under an enactment or rule of law, or
j. Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes with appropriate safeguards in place, including data minimisation and pseudonymisation – data should not be processed using this legal basis if it has an impact on a particular data subject or it is likely to cause substantial damage or substantial distress to an individual.
Case study - lawful processing
Create a record of data processing
All law firms should know what personal data they are processing and why, and be able to identify what is happening to it.
GDPR guide for law firms
Data protection regulations from the perspective of a legal practice
- Ten steps
- Law firms as data controllers
- Create a record of data processing
- Marketing
- Client confidentiality, legal privilege and limited exemptions
- Sharing data with third parties
- Data retention
- Data protection officers
- AML and data protection
- Security
- Reporting personal data breaches
- Requests for copies of personal data
- Appendix 1 - Consent
- xCreate a record of data processing
- Appendix 2 - Example of a data protection policy
- Example of Privacy Notice
- xClient confidentiality, legal privilege and limited exemptions
- xData retention
- xSharing data with third parties
- xData protection officers
- xSecurity
- xReporting personal data breaches
- xRequests for client personal data
- Appendix 1 - Consent
- Appendix 2 - Example of a data protection policy