The ICO exists to empower you through information.

Step 1 of 4: Lawfulness, fairness and transparency

1.1 Information you hold

More information

You should organise an information audit across your business or within particular business areas. One person with in-depth knowledge of your working practices may be able to do this. This will identify the data that you process and how it flows into, through and out of your business. Remember, an information flow can include a transfer of information from one location to another. For example, the information may stay within your business yet a transfer takes place because the department or other office is located elsewhere (off site). Having audited your information, you should then be able to identify any risks.

More information

Once you have completed your information audit, you should document your findings, for example in an information asset register. Doing this will also help you to comply with the UK GDPR’s accountability principle. This requires your business to be able to show how you comply with the UK GDPR principles, for example by having effective procedures and guidance for staff. You must record: * the name and details of your business, each controller you are acting on behalf of, and the controllers’ representative (if relevant), your representative and the data protection officer); * categories of the processing carried out on behalf of each controller; * details of transfers to third countries including documentation of the transfer mechanism safeguards in place, if applicable; and * where possible, a general description of technical and organisational security measures. If you have fewer than 250 employees you only need to keep these records for processing activities that: * are not occasional; * could result in a risk to the rights and freedoms of individuals; or * involve the processing of special categories of data or criminal conviction and offence data. You may be required to make these records available to the ICO on request.


1.2 Lawful basis for processing personal data

More information

You need to identify your lawful basis before you can process personal data. There are six available lawful bases for processing. No single basis is better or more important than the others. The basis that is most appropriate will depend on your purpose for processing and relationship with the individual. In summary, the six lawful bases are: (a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose. (b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract. (c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations). (d) Vital interests: the processing is necessary to protect someone’s life. (e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law. (f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.) If you are processing special category data or criminal offence data you need to identify both a lawful basis for general processing and an additional condition (Article 9 condition) for processing this type of data. You need to give individuals information about how you intend to process their personal data and what your lawful basis is for doing so.


1.3 Consent

More information

The UK GDPR sets a high standard for consent but remember you often won’t need consent. You should also assess whether another lawful basis is more appropriate. Consent means offering people genuine choice and control over how you use their data. You can build trust and enhance your reputation by using consent properly. The UK GDPR builds on the 1998 Act standard of consent in several areas and contains much more detail: 

  • You should keep your consent requests prominent and separate from other terms and conditions.
  • Seek a positive opt-in such as unticked opt-in boxes or similar active opt-in methods.
  • Avoid making consent a precondition of service.
  • Be specific and granular. Allow individuals to consent separately to different purposes and types of processing wherever appropriate.
  • Name your business and any specific third party organisations who will rely on this consent.
  • Keep records of what an individual has consented to, including what you told them, and when and how they consented.
  • Tell individuals they can withdraw consent at any time and how to do this.


More information

Your obligations don’t end when you first get consent. You should continue to review consent as part of your ongoing relationship with individuals, not a one-off compliance box to tick and file away. Keep consent under review, and refresh it if anything changes. You should have a system or process to capture these reviews and record any changes. If your current consent doesn’t meet the UK GDPR’s high standards or is poorly documented, you need to seek fresh UK GDPR-compliant consent, identify a different lawful basis for your processing (and ensure continued processing is fair), or stop the processing.


1.4 Consent to process children’s personal data for online services

More information

You need to have a lawful basis for processing a child’s personal data. If you are relying on consent as your lawful basis for processing and are offering online services to children, only a child aged 13 or over will be able to provide their own consent. You will therefore need to make reasonable efforts to verify that anyone giving their own consent is old enough to do so. For children under 13 you need to get consent from whoever holds parental responsibility for the child - unless the online services you offer are for preventive or counselling purposes. You must make reasonable efforts (using available technology) to verify that the person giving consent does, in fact, hold parental responsibility for the child.


1.5 Vital interests

More information

The lawful basis for vital interests is very similar to the old condition for processing in the 1998 Act. One key difference is that anyone’s vital interests can now provide a basis for processing, not just those of the data subject themselves. This lawful basis is very limited in its scope, and generally only applies to matters of life and death. It is likely to be particularly relevant for emergency medical care, when you need to process personal data for medical purposes but the individual is incapable of giving consent to the processing. It is unlikely to be appropriate for medical care that is planned in advance or for processing on a larger scale. As health data is one of the special categories of data, you also need to identify a condition for processing special category data under Article 9. Provide guidance to staff so they know the circumstances when they may apply this lawful basis. You need to review your existing processing to identify if you have any ongoing processing for this reason, or are likely to need to process for this reason in future. You should then document where you rely on this basis and inform individuals if relevant.


1.6 Legitimate interests

More information

Legitimate interests is the most flexible lawful basis for processing, but you cannot assume it will always be the most appropriate. It is likely to be most appropriate if:

  • you use people’s data in ways they would reasonably expect and which have a minimal privacy impact; or
  • there is a compelling justification for the processing.

The UK GDPR specifically mentions use of client or employee data, marketing, fraud prevention, intra-group transfers, or IT security as potential legitimate interests, but this is not an exhaustive list. It also says that you have a legitimate interest in disclosing information about possible criminal acts or security threats to the authorities.

If you want to rely on legitimate interests, you can use the three-part test, or a legitimate interests assessment (LIA), to assess whether it applies. You should do it before you start the processing.

Firstly, identify the legitimate interest(s). Consider:

  • Why do you want to process the data – what are you trying to achieve?
  • Who benefits from the processing? In what way?
  • Are there any wider public benefits to the processing?
  • How important are those benefits?
  • What would the impact be if you couldn’t go ahead?
  • Would your use of the data be unethical or unlawful in any way?

Secondly, apply the necessity test. Consider:

  • Does this processing actually help to further that interest?
  • Is it a reasonable way to go about it?
  • Is there another less intrusive way to achieve the same result?

Thirdly, do a balancing test. Consider the impact of your processing and whether this overrides the interest you have identified. You might find it helpful to think about the following:

  • What is the nature of your relationship with the individual?
  • Is any of the data particularly sensitive or private?
  • Would people expect you to use their data in this way?
  • Are you happy to explain it to them?
  • Are some people likely to object or find it intrusive?
  • What is the possible impact on the individual?
  • How big an impact might it have on them?
  • Are you processing children’s data?
  • Are any of the individuals vulnerable in any other way?
  • Can you adopt any safeguards to minimise the impact?
  • Can you offer an opt-out?

If you choose to rely on legitimate interests, you are taking on extra responsibility for considering and protecting people’s rights and interests.


1.7 Data Protection Fee

More information

After May 2018 you need to pay the ICO a data protection fee. If you have already registered with the ICO in the last year prior to May 2018, you only need to pay the fee once your current registration expires.

There are three different tiers of fee. Controllers are expected to pay between £40 and £2,900. The fees are set by Parliament to reflect what it believes is appropriate based on the risks posed by the processing of personal data by controllers. The tier you fall into depends on:

  • how many members of staff you have;
  • your annual turnover; 
  • whether you are a public authority; * whether you are a charity; and
  • whether you are a small occupational pension scheme. Not all controllers must pay a fee. Many can rely on an exemption.

Read our Guide to the Data Protection Fee on our website for more information.