While the General Data Protection Regulation (GDPR) brings many new concepts to the scope of personal data, none may be more important than the criteria for lawful processing. The regulation specifies that personal data must be processed in a "lawful, fair and transparent manner," but what is required to achieve this standard?

How "consent" can prove lawful processing
There are various methods that a data controller can use to achieve lawful processing. The most widely recognized method is consent, which allows the data subject to choose how and when their personal information is used. While this may appear to be the gold standard that a company aims to achieve, true consent may be difficult to attain in in some instances. According to the GDPR, Consent is defined as "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he/she, by a statement or by a clear affirmative action's signifies agreement with the processing of personal data relating to him/her."

It's important to understand that the data controller has the responsibility to demonstrate that valid consent was given. The offer of consent must be provided in an intelligible form, using plain language, and must not include any unfair terms. The data subject must also have a genuine choice and can withdraw consent at any time.

Within the European Union regulations, a "Recital" explains the rationale behind a law's provisions. GDPR's Recital 43 indicates that consent should not be utilized in cases with an imbalance of power. An employer-employee relationship is a clear example of this situation, because it would prove difficult to show that the consent was truly freely given. Additionally, even if consent was freely given, the regulation allows for it to be withdrawn at any time and for any reason, which could be problematic for an employer. Consequently, with employer-employee relationships, the employer may want to utilize a different method to achieve lawful processing.

Achieving lawful processing through "necessity"
Another option to obtain lawful processing is through the concept of "necessity," which can be required through performance of a contract, for compliance with legal obligations and for legitimate interest, according to GDPR's Recital 45.
 

• "Performance of a contract" applies to current, in-force contracts, or if the data subject has requested something that requires processing, such as a quote for car insurance. This stipulation does not apply if the data controller takes pre-contractual steps on their own initiative. In addition, the contract does not need to be a formally signed document, but must be one that has been offered and accepted, as well as necessary for the contacted activity or goods.
    
• "Compliance with legal obligations" applies to situations when the data controller must comply with legal obligations, such as when an employer complies with tax law or a valid court order. It's important to note that it does not apply to laws from non-EU countries. There are also limited exceptions carved out for journalism and research where free speech and other public interests are of concern.
    
• "Legitimate interest" can also be a lawful basis for processing. For it to be appropriate, the interest must be identified, the processing must be shown to be necessary, and the rights and freedoms of the data subject must be taken into account. The legitimate interest can either benefit the data controller directly or a third party. An example of legitimate interest is direct marketing, outlined in Recital 47, in which there is an existing business relationship between a controller and data subject, or when an employer processes employee data to determine for performance analysis. Conducting a data protection impact assessment can help document the validity of the legitimate interest, and it must also be disclosed in the company's privacy policy.
    

Ensuring lawful data processing can be a difficult task. With the passage of the GDPR, data controllers are required to explain the legal basis for processing in a privacy notice, which is communicated to data subjects. Documentation of both the process and your guiding principles or framework will likely assist in the event of an investigation by a data protection authority.