Brought into force in 2018, the General Data Protection Regulation (GDPR) set out to give individuals greater control of their personal data that's held by third-parties, such as retailers or social networks.

The six principles of the GDPR are the guiding ethical intentions underpinning the legislation. The principles set forth the vision for data protection going forward. It outlines the ethos of the legislation and the people who are accountable in upholding its values and obligations. Aligning oneself to the six principles of the GDPR and imbedding them throughout the organisation, will ensure a sound foundation in meeting its requirements. Using them as the basis for all decision making relevant to the processing of personal data within organisation creates a deeper level of understanding of the spirit of the law.

The GDPR requires that all personal data processing must be done in a law- ful, fair, and transparent manner. This means that the legality of the basis, that is the reason for the purpose of the processing, must be stated and docu- mented in a clear and transparent way, and to which the data controller will be held accountable. This tripartite principle is extremely important as it underpins all the other principles and rights within the GDPR.

There are six bases for lawful processing, at least one of which must be chosen before processing begins.

1. Consent

Consent is the explicit and clear agreement, given by the individual, to process their personal data for a specific purpose. Consent must also be informed and unambiguous and the controller must be able to show that all these conditions for consent have been met.

2. Contract

A contract is a legally binding agreement between two or more parties. The performance of a contract is the fulfilment of its bilateral obligations and duties. Where the data subject has requested that specific steps be taken before entering into a contract, then the processing of their data maybe legitimised for that specific purpose.

3. Legal obligation

Within the GDPR, a legal obligation specifically refers to the laws of the European Union and the laws of its Member States.

4. Vital interests

Primarily referring to the preservation and protection of an individual’s life, the vital interests purpose will generally apply in a medical context, although not exclusively.

5. Public task

Public tasks are undertaken by Public Authorities and this purpose, as a ground for data processing, may only be used by public authorities.

6. Legitimate interests

After consent, the legitimate interest purpose is the most broadly applicable to all organisations which are not considered to be public authorities. Despite its broad application, controllers must ascertain whether they do, in fact, have a legitimate purpose in processing personal data. For example, if you listed your website in a free UK business directory, should they have access to your personal data?

Where no lawful basis can be attributed to the processing of personal data, any processing will be considered unlawful and the individual has the right to request the erasure of that data.