GDPR Data Types
Use the GDPR Data Types section to create a complete list of all the types of data your organisation processes and/or stores.
You can Load Sample Data to give you some ideas of types of data that you may process and store.
Make sure if you are using Sample Data that you have customised the data to fit in with your organisational and operational structure, remove any that are not relevant and add in any data types not listed.
For each type of data you are processing you need to give some Legal Basis for processing that data and what consent was obtained from the data subject.
For processing to be lawful under the GDPR, you need to identify a lawful basis before you can process personal data. These are often referred to as the “conditions for processing” under the DPA.
It is important that you determine your lawful basis for processing personal data and document this.
This becomes more of an issue under the GDPR because your lawful basis for processing has an effect on individuals’ rights. For example, if you rely on someone’s consent to process their data, they will generally have stronger rights, for example to have their data deleted.
The GDPR allows member states to introduce more specific provisions in relation to Articles 6(1)(c) and (e):
“(c) processing is necessary for compliance with a legal obligation”;
“(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.”
These provisions are particularly relevant to public authorities and highly regulated sectors.
The tables below set out the lawful bases available for processing personal data and special categories of data.
|Lawfulness of processing conditions
| 6(1)(a) – Consent of the data subject
| 6(1)(b) – Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
| 6(1)(c) – Processing is necessary for compliance with a legal obligation
| 6(1)(d) – Processing is necessary to protect the vital interests of a data subject or another person
| 6(1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
6(1)(f ) – Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject
Note that this condition is not available to processing carried out by public authorities in the performance of their tasks.
Consent under the GDPR must be a freely given, specific, informed and unambiguous indication of the individual’s wishes. There must be some form of clear affirmative action – or in other words, a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity. Consent must also be separate from other terms and conditions, and you will need to provide simple ways for people to withdraw consent. Public authorities and employers will need to take particular care to ensure that consent is freely given.
Consent has to be verifiable, and individuals generally have more rights where you rely on consent to process their data.
Remember that you can rely on other lawful bases apart from consent – for example, where processing is necessary for the purposes of your organisation’s or a third party’s legitimate interests.
You are not required to automatically ‘repaper’ or refresh all existing DPA consents in preparation for the GDPR. But if you rely on individuals’ consent to process their data, make sure it will meet the GDPR standard on being specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn. If not, alter your consent mechanisms and seek fresh GDPR-compliant consent, or find an alternative to consent.