Profile information Member settings
Logout
Sign up Sign in

Make your GDPR documents

Get started

What is 'processing'?

'Processing' is any use of personal data (eg names and addresses), other than for personal reasons. It includes:

  • obtaining

  • recording

  • storing

  • organising

  • retrieving personal data

People who process personal data can either be 'data controllers' or 'data processors'. 

Data controller

The data controller is the main decision-maker. They decided on the purposes for and means of processing personal data. In other words, the data controller is the person who says how and why personal data is processed.

Data processor

The data processor carries out the instructions of the data controller in its processing of personal data. In other words, the data processor is the person who acts on behalf of, and only on the instructions of, the data controller. 

Lawful grounds to process data

Businesses will only be able to process personal data collected if one (or more) of the following six grounds have been met.

Failure to comply with one or more of the grounds will result in a criminal offence.

Consent

Data controllers can obtain the consent of data subjects (ie the individuals to which the personal data relates) to process their personal data. Consent must be:

  • freely given

  • specific

  • informed

  • unambiguous, and

  • as easy to withdraw as it was to provide

Consent can be given by way of a statement or affirmative action (ie it is no longer recommended that businesses rely on pre-ticked boxes).

Consent cannot be given by a child under the age of 16 unless there is parental consent (reasonable efforts must be taken to ensure that, where consent is provided by the parent, it is genuine).

The burden of proof lies with the data controller who must show that consent was validly obtained. As such, the data controller should regularly confirm, review and update consent.

For more information, read Consent for GDPR.

Performance of a contract

Processing is necessary for the performance of a contract or where it is necessary in order to ‘take steps’ at the request of the data subject before entering into the contract (eg providing a quote).

Compliance with a legal obligation

Where data is processed in order to comply with a legal obligation. The obligation does not have to be required by legislation or statute, but it must be clear having regard to the laws of the UK. For example, employers may be required to process certain health-related data to comply with their health and safety duties.

Vital interests of the data subject

Processing is required to protect the vital interests of the data subject or another individual.

Vital interests include interests essential for the life of the data subject or processing data for humanitarian purposes and, in particular, cases where a disaster has struck.

Public interest

Processing is necessary for performing a task that is in the public interest or in the exercise of official authority vested in the data controller. For example, a local authority uses personal data to collect council tax.

Legitimate interests of the data controller

Legitimate interests can include commercial interests, individual interests or broader societal benefits. Processing is necessary for the legitimate interests pursued by the data controller or by a third party, as long as the processing does not override the fundamental rights and freedoms of the data subject (eg for network and information security or for the prevention of fraud). 

Public authorities and any party dealing with children (as a child's interests will always override the interests of a data controller) are not able to rely on this ground.

Legitimate interests assessment

If a data controller wishes to rely on the legitimate interests ground, they must conduct a Legitimate interests assessment (LIA). An LIA is used to identify:

  • what that legitimate interest is

  • the benefits of processing the personal data in that way

  • is such processing is necessary

This means that the data controller must carry out a balancing exercise, in which they must demonstrate whether the legitimate interest being relied upon outweighs the data subject’s legitimate interests and rights.

For more information, read Legitimate interest assessments.

For more information on the lawful bases for processing, see the Information Commissioner's Office (ICO) guidance. If you need help determining your lawful basis for processing, you can use the ICO’s web tool.


Ask a lawyer

Get quick answers from lawyers, easily.
Characters remaining: 600
Rocket Lawyer On Call Solicitors

Try Rocket Lawyer FREE for 7 days

Get legal services you can trust at prices you can afford. As a member you can:

Create, customise, and share unlimited legal documents

RocketSign® your documents quickly and securely

Ask any legal question and get an answer from a lawyer

Have your documents reviewed by a legal pro**

Get legal advice, drafting and dispute resolution HALF OFF* with Rocket Legal+

Your first business and trade mark registrations are FREE* with Rocket Legal+

**Subject to terms and conditions.