Paulina JedwabskaHead of Information Governance and Departmental Records Officer
Department for Digital, Culture, Media and Sport (DCMS)
Under the GDPR, business can process personal data only if, and to the extent that, at least one lawful basis applies: Consent, Contractual, Legal obligation, Vital interests, Public tasks and Legitimate interests – processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. This shall not apply to processing carried out by public authorities in the performance of their tasks.
In UK Legitimate interest shall not apply to processing carried out by public authorities in the performance of their public tasks but can be used for non-public task processing. We are going to explore what this means in reality.