It’s vital that all the data our organisation handles is properly justified.

The lawful bases for processing are specifically dealt with under the GDPR (in Article 6, in case you wondered). So everything we hold has to fulfil one of the following criteria to be lawful.


The data is necessary to perform a written agreement, e.g. customer data we need to provide a service, or the information we collect about staff so we can comply within the terms of their contracts. It has to be necessary for the performance of the contract (or to facilitate entering into the contract).


There are many aspects of tax, employment, equality and health and safety law that require us to collect various kinds of information about the people we work with.  Data Subjects can’t stop us from doing this, but they may be able to prevent other processing if we use data for other purposes also.


We commonly justify processing data about people on the basis that it’s necessary for us to perform our core activities. However, we always balance our interests with those of the individual – essentially this means if someone asks us to stop processing their data, we would need to have a very compelling reason to refuse.


This refers to any processing that is necessary to keep someone alive, basically meaning that data protection issues should never stand in the way of saving someone’s life, or providing a crucial service such as medicine, care or aid. This includes any sensitive data which is necessary for protecting those interests.


This usually refers to the activities of a public body, including a government department, local council, or even a state school – it also includes anyone who has been given an official duty – such as a private contractor working for the government.



When no other legal basis can be replied upon to process people’s data, we seek their consent for processing. This includes marketing to anyone who we haven’t been in contact with before, including cold calling, mailing lists and use of any targeted ads service.

GDPR compliant consent is ‘FUSIE’.  It has to be acquired in a manner that is:

  • Freely given (not in return for any service that the data isn’t required to perform)
  • Unambiguous (given with a clear indication from the Data Subject – no pre-ticked boxes or ‘opt-outs’)
  • Specific (stating the purposes the data is used for)
  • Separate (distinguishable from any other terms and conditions)
  • Informed (provided with a full notification of the terms of consent)
  • Explicit (in the case of sensitive data – referring to the exact processing activity)