Thank God its Friday and welcome to another edition of Privacy Notes.
Today, we will be talking about the lawful basis of processing personal data. In a recent fiasco, an NGO (Digital Rights Lawyers Initiative) sued the Nigeria Youth Service Corps (NYSC) for violating the privacy of Corp members by publishing and selling their personal data in a yearbook. The basis of the suit is that the NYSC has no lawful basis for publishing the personal information of Corp members as their consent wasn’t obtained before such information was published. The need to always identify a lawful basis to process personal data is key in the avoidance of personal data breach.
Why is this Important?
You cannot simply process personal data because you desire to do so. Processing of personal data can only be done if it satisfies one of the conditions set out in Article 2.2 of the Nigeria Data Protection Regulation (NDPR).
If you process personal data in the absence of a lawful basis, it is a breach of the NDPR and failing to comply with the regulation can expose you to serious reputational damage, claims by aggrieved data subjects which in most cases are your customers and fines up to 2% of your Annual Gross Revenue of the preceding year or payment of the sum of 10 million Naira, whichever is greater.
Now let us look at the 6 different lawful basis you must have to process personal data.
• PERFORMANCE OF A CONTRACT: You can process the data by law when you have a contractual agreement with the Data Subject and you need to process their personal data to comply with the requirements of the contract.
• LEGITIMATE INTEREST: You may consider legitimate interest as probably the most flexible lawful basis for processing personal information and is likely to be the legal basis most businesses will seek to use in sending marketing emails. With legitimate interest, you can collect, manage and store personal information, as long as you consider and can prove that there is actually a good reason why processing takes place. It is also important to point out that you have measured the use of legitimate interest against the rights, freedom and interests of individuals.
• CONSENT: For consent to be used as a lawful basis, individuals must give their explicit consent (not assumed through a pre-ticked box etc) and positively opt-in for their data to be held and used. Here, you must always offer very specific options, so that you get separate consent for separate actions. If services are being offered to children, then parental consent will be a requirement.
• VITAL INTEREST: In this case, it applies when you are required to process data for the interest of a party e.g to protect someone’s life.
• PUBLIC INTEREST: This lawful basis allows you to process personal data if the task is in the public interest.
If you need advice on determining your lawful basis for processing personal data, you should consider contacting us on email@example.com
Thank you for staying tuned…
See you in a bit.