Careful planning is key when it comes to processing data under the new GDPR regulations coming up on 25th May. Documenting your movements and reasons for choosing your lawful basis are fundamental in the event you are asked to present them in the future.

Take special care to plan and get it right the first time as you won't be able to switch to another lawful basis without good reason (if your reasons are clearly defined in your planning, this may be a possibility but is not recommended or gained easily). Your lawful basis for processing data should also be included in your privacy statement and will depend on your purpose and relationship with the individual.

The ICO have devised a handy 6 step checklist to help you ensure you lawful basis for processing data meets the requirements before the deadline:

  1. We have reviewed the purposes of our processing activities, and selected the most appropriate lawful basis (or bases) for each activity.
  2. We have checked that the processing is necessary for the relevant purpose, and are satisfied that there is no other reasonable way to achieve that purpose.
  3. We have documented our decision on which lawful basis applies to help us demonstrate compliance.
  4. We have included information about both the purposes of the processing and the lawful basis for the processing in our privacy notice.
  5. Where we process special category data, we have also identified a condition for processing special category data, and have documented this.
  6. Where we process criminal offence data, we have also identified a condition for processing this data, and have documented this.

You can find out more about data processing via ICO's website, including why it is important and which lawful basis apply to you.