For processing to be lawful under the GDPR, you need to identify a lawful basis before you can process personal data. For the majority of organisations using WebCollect, the likely lawful basis will be either:
6(1)(a) – Consent of the data subject
6(1)(b) – Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
6(1)(f) - Processing is necessary for the
purposes of the legitimate interests
pursued by the controller or by a
third party, except where such interests are overridden by
the interests or fundamental rights and freedoms of the data
subject which require protection of personal data, in particular
where the data subject
is a child.
There are other lawful basis for which you can process data. You can view the full list here in order to determine what your lawful basis is.
The Information Commissioners Office advises that:
"It is important that you determine your lawful basis for processing personal data and document this.
This becomes more of an issue under the GDPR because your lawful basis for processing has an effect on individuals’ rights. For example, if you rely on someone’s consent to process their data, they will generally have stronger rights, for example to have their data deleted."
If you process any of the special categories of data, then there is a separate list of lawful bases set out in Article 9(2) GDPR
Is Consent the best option?
The Information Commissioners Office advises:
"Remember that you can rely on other lawful bases apart from consent – for example, where processing is necessary for the purposes of your organisation’s or a third party’s legitimate interests."
And also:
"But if you rely on individuals’ consent to process their data, make sure it will meet the GDPR standard on being specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn. If not, alter your consent mechanisms and seek fresh GDPR-compliant consent, or find an alternative to consent."
When deciding whether it's the best option, you might want to consider:
- Can someone realistically continue to be a member of the Club if they don't consent? If the answer is No, then you want to consider whether 6(1)(b) or 6(1)(f) is a more appropriate basis.
- Do you collect a mix of information, some of which is necessary for the member to have a subscription to the organisation/attend the event etc, and some of which is not necessary (e.g. Social Media). If that is the case, you may want to rely on more than one lawful basis.
Click here for information on how you can use WebCollect to obtain consent from my members to process data.