Article Six: The highest risk of GDPR fines

Data breaches are big news. They come with a major hit to the trust customers have with a business, and even parts of the world that don't have data privacy laws will often have some form of data breach law. It might be surprising though, for those focused on GDPR, that data breaches don't account for the greatest number, and greatest monetary value, of GDPR fines.

When looking at the history of fines imposed by EU member states, it is clear that the top spot goes to Article 6 violations, otherwise known as "insufficient legal basis for data processing."

Legal or lawful basis for processing is how, or more importantly if, you have the right to collect and process data about an individual. The GDPR and its member states have a set of guidelines that cover what they consider to be a legal basis. Adhering to these guidelines is how you demonstrate the lawfulness of processing.

The best way to get started is to look at the six criteria that the GDPR outlines. They are:

Has the person given consent to have their data processed for a specific purpose? This is the most common approved way to meet a lawful basis. In this case, you explicitly ask for permission and receive permission from the person to collect and process their data.

Contract Necessity

In order to complete the contract you have with the person, is it necessary to collect their personal data? For these instances there is likely a consent component, but this requirement allows for edge cases that may not apply when unique contracts for services are made. If you can show that you needed to process the data to complete the task in your contract, you are meeting the legal basis.

Is it necessary to collect their data in order to meet a legal obligation or to be in compliance with a law or regulation? In instances where the law in an area requires you to process data in order to complete a task, you can use the legal obligation criteria. For example, banks may be required to obtain tax identification numbers before opening business accounts. While other information they collect may require consent, the government requirement of the tax ID does not.

Vital interests

Is it necessary to collect their data in order to protect their life or safety? This basis often applies to healthcare organizations that need to collect personal information, such as biometric data, but cannot receive consent from the individual. Most organizations will not be able to use vital interest as to meet the lawful basis requirement.

Public interests

Is it in the public's interest for you to collect data from the individual? As with vital interest, most organizations will not use public interest as their lawful basis. Instead, it applies to instances where the public good requires the collection of personal data. This could be related to public health crisis, law enforcement, or legal proceedings. One exception is organizations that act on behalf of the public, like universities or government contractors.

Legitimate interests

Can you prove a legitimate need for processing the data? Legitimate interest is the gray area that many teams struggle with. Legitimate interest is any processing necessary for the purposes intended by the controller or third party, as long as it doesn't infringe on the fundamental rights or freedoms of the person.

Why so many companies are fined?

According to statistics collected by GDPR Enforcement Tracker, since the very first month of GDPR fines in July 2018 there has been over €166,000,000 imposed for Article 6 violations. That is over 237 fines as of spring 2021. The organizations fined range from larger companies like Google and British Airways, all the way down to regional e-commerce and energy companies. The way to avoid this is by demonstrating a legal basis for data processing.

Most organizations will rely on consent or legitimate interest for proving legal basis. Consent is the easiest way to avoid problems. You ask for permission to do something, and if you receive it you only do that specific type of processing. If later you decide to perform a different type of processing without asking for consent, then you are liable to be at risk of non-compliance. Issues can also arise when a team doesn't have a good process for tracking privacy-related changes. A new feature is released that collects new data, it makes it past review and the privacy policy is never updated. Suddenly an app that otherwise follows all consent guidelines is in breach of the regulation.

Legitimate interest is somewhat harder, but gives you more freedom—especially if you are performing processing that isn't easily understood by your customers. As technology evolves and the types of data that can be considered personally identifiable information (PII), legitimate interests can be used to provide processing services without explicit consent. For example, you may need to collect an individual's name, address, and email in order to sell them a physical item. You should include your legitimate interests in your privacy policy, but you don't need to explicitly ask for processing consent as you would with tracking cookies.

Avoiding the risk GDPR non-compliance

Data breaches are inevitable. You can do your best to mitigate them, but all good security teams know that they still need to plan for the day something is compromised. Legal basis for processing fines are completely avoidable by asking yourself a few key questions:

  • Do we need to process this data?
  • Is there a lawful basis, such as public or vital interest, that allows us to process this data?
  • If not, have we asked for consent to do so?
  • If not, do we have a legitimate interest that we can demonstrate and prove?

If you are acting in the best interest of your customers and practicing privacy by design, your risk of fines is incredibly low. You can further prevent slip-ups by bringing privacy practices directly into your software development workflow.

You may also like

Ready to start your
Privacy by Design journey?

Learn best practices with a privacy specialist.