For the processing of personal data to be lawful, it must be processed on a ‘lawful basis’.1
This includes:
Legal obligation: the processing is necessary to comply with the law (not including contractual obligations); or
Public task: the processing is necessary to perform a task in the public interest or in the exercise of official authority vested in you as the data controller; or
Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks); or
Consent: the individual has given clear consent for you to process their personal data for a specific purpose. For further information see the ICO’s guidance on consent.
Processing personal data without a lawful basis runs the risk of enforcement activity, including substantial fines, issued by the ICO, for further information see our guidance on data protection breaches and sanctions.
The ICO have advised that in the main, the processing of personal data by EROs and ROs is likely to fall under the lawful basis that it is necessary for the performance of a task carried out in the public interest or in the exercise of the official authority vested in the controller.
It is for you to determine what the lawful basis for processing the data is, and to document your approach.
You must clearly set out in your privacy notice which lawful basis you are relying on for processing and cite the relevant UK law where applicable. You may rely on more than one legal basis if you consider it appropriate.