GDPR explained – necessary proportionate fair

Concrew Training Logo

Understanding the GDPR terms Necessary, Proportionate and Fair

The GDPR does not require organisations to gain consent before personal information is processed, it merely requires that a lawful basis is established.

However For the processing to be lawful a legal basis for processing has to be decided upon and this has to be evidenced as necessary, proportionate and fair.

Further, the GDPR requires all of the above be transparent. That is to say the basis and underlying considerations be recorded and made available to data subjects (the people whose data is being processed) before the processing takes place.

Identifying an overarching “legal” basis for processing and outlining this within a “privacy policy” may appear sufficient but in the event of a complaint or breach it is likely to be found woefully inadequate

To meet the “necessary and fair” requirements of the GDPR each policy, process, policy, approach, project or initiative needs to have a legal basis for processing identified and the key underlying principles of Necessary, Proportionate and Fair and met. Additionally final decisions and outcomes need to be transparent; that is to say made available, in an easy to understand manner, to the appropriate staff, stakeholders and service users.

Except in situations where the precise processing activity is specifically required by a Government directive all organisations need to demonstrate, for each and every individual processing activity, that the “necessary, proportionate fair and transparent” requirements have been met.

In the event of complaint or breach organisations will struggle to evidence GDPR compliance

Necessary
Processors need to demonstrate that the processing is ‘necessary’ for a specific purpose.

It is not enough to argue that processing is necessary because it is part of your particular business model, processes or procedures, or because it is standard practice. This does not mean that processing has to be absolutely essential. However, it must be more than just useful or habitual. It must be a targeted, proportionate and fair way of achieving the said purpose.

Processing is not deemed “Necessary” if you can reasonably achieve the same purpose by less intrusive means.

Proportionate
Organisations need to consider the, scope, extent and intensity of the processing.

That is to say consider the impact the processing may have on the data subjects, conduct a fair balance assessment and then explore ways in which the impact of the processing can be reduced.

Processing is not deemed “proportionate” if you can reasonably achieve the same purpose through less intrusive means

Fair
Organisations must use personal data in a way that is fair.

In general, fairness means that you should only handle personal data in ways that people would reasonably expect and not use it in ways that have unjustified adverse effects on them. You need to stop and think not just about how you can use personal data, but also about whether you should.

Assessing whether you are processing information fairly depends partly on how you obtain it. In particular, if anyone is deceived or misled when the personal data is obtained, then this is unlikely to be fair.

In order to assess whether or not you are processing personal data fairly, you must consider more generally how it affects the interests of the people concerned – as a group and individually.

If you have obtained and used the information fairly in relation to most of the people it relates to but unfairly in relation to one individual, there will still be a breach of this principle.

Personal data may sometimes be used in a way that negatively affects an individual without this necessarily being unfair. What matters is whether or not such detriment is justifiable

Organisation also ensure they treat individuals fairly when/if data subjects seek to exercise their rights over their data. This includes for example providing clear information on how to object to the processing and the right to be forgotten

Transparent Processing
Processors must be clear, open and honest with people from the start about how they use the personal data provided. Data subjects have a right to be informed.

You must ensure that you tell individuals about your processing in a way that is easily accessible and easy to understand. You must use clear and plain language.

You must regularly review, and where necessary, update your privacy information. You must bring any new uses of an individual’s personal data to their attention before you start the processing.

The level of detail provided within the privacy policy should be proportionate; in situations where the need for processing may not be readily obvious to the data subject then the privacy policy needs to provide greater detail on the legal basis and how the necessary, fair and proportionate requirements have been met.

Transparency is fundamentally linked to fairness. Transparent processing is about being clear, open and honest with people from the start about who you are, and how and why you use their personal data.

Transparency is always important, but especially in situations where individuals have a choice about whether they wish to enter into a relationship with you. If individuals know at the outset what you will use their information for, they will be able to make an informed decision about whether to enter into a relationship, or perhaps to try to renegotiate the terms of that relationship.

Transparency is important even when you have no direct relationship with the individual and collect their personal data from another source. In some cases, it can be even more important – as individuals may have no idea that you are collecting and using their personal data, and this affects their ability to assert their rights over their data. This is sometimes known as ‘invisible processing’.

Getting the right to be informed correct can help you to comply with other aspects of the GDPR and build trust with people, but getting it wrong can leave you open to fines and lead to reputational damage.

Impact Assessments
Whilst the GDPR only requires impact assessments be conducted for high risk activities, they are the perfect way to inform evidence necessary, fair and transparent decisions.

Good practice dictates that impact assessments should be completed, recorded and made available to all staff for each and every policy, procedure, process, initiative, project or assignment.

Such an approach delivers the best opportunity to keep personal data safe.

Recording Processing Decisions
Organisations are required by law to document all their data processing activities. This means data controllers you need to maintain an internal record of all processing activities carried out by any processors on behalf of your organisation.

In the event of complaint or breach the ICO may require organisations to demonstrate that processing is in line with the accountability principle and may require you to provide records of processing activities to them.

For processing to be lawful organisations need to be able to justify a legal basis for the processing and evidence that the requirements for “necessary, fair and transparent” have been met.

Additionally Data Controllers need to ensure that the processing decision information is made available to those tasked with processing the data

Our courses help refresh your knowledge of GDPR and in doing so help your organisation keep personal information.

Concrew Training
August 2023

CLICK BELOW TO SHARE

Share on LinkedIn Share on WhatsApp Share on Pinterest