Processing personal data

Personal data is information (whether held electronically or physically) relating to individuals only (i.e. not companies or other organisations) who can be personally identified from that data (on its own or with other data held).

For more information on what is personal data, read Data protection.

Ask a lawyer

GDPR legal compliance check from £1000+VAT

Speak to a lawyer today.

What is 'processing'?

'Processing' is any use of personal data (other than for personal reasons). It includes:

  • obtaining
  • recording
  • storing
  • organising
  • retrieving personal data

Grounds to process data

Businesses will only be able to process personal data collected if one (or more) of the following six grounds have been met.

Failure to comply with one or more of the grounds will result in a criminal offence.

Consent

Controllers can obtain the consent of data subjects to process their personal data. Consent must be:

  • freely given;
  • specific;
  • informed;
  • unambiguous; and
  • as easy to withdraw as it was to provide.

Consent can be given by way of a statement or affirmative action. Affirmative action means that it is no longer recommended that businesses rely on pre-ticked boxes.

Consent cannot be given by a child under the age of 16, unless there is parental consent (reasonable efforts must be taken to ensure that, where consent is provided by the parent, it is genuine).

The burden of proof lies with the data controller who must show that consent was validly obtained. As such, the controller should regularly confirm, review and update consent.

Performance of a contract

Processing is necessary for the performance of a contract or where it is necessary in order to ‘take steps’ at the request of the data subject before entering into the contract.

Compliance with a legal obligation

Where data is processed in order to comply with a legal obligation. The obligation does not have to be required by legislation or statute, but it must be clear having regard to the laws of the UK.

Vital interests of the data subject

Processing is required to protect the vital interests of the data subject or another individual.

Vital interests include interests essential for the life of the data subject or processing data for humanitarian purposes and, in particular, cases where a disaster has struck.

Public interest

Processing is required for performing a task that is in the public interest or in the exercise of official authority vested in the data controller. For example, a local authority using personal data to collect council tax.

Legitimate interests of the data controller

Processing is necessary for the legitimate interests pursued by the data controller or by a third party, as long as the processing does not override the fundamental rights and freedoms of the data subject (eg for network and information security or for the prevention of fraud).

Public authorities and any party dealing with children (as a child's interests will always override the interests of a data controller) are not able to rely on this ground.

Ask a lawyer

GDPR legal compliance check from £1000+VAT

Speak to a lawyer today.