This is the sixth in a series of 12 posts with some advice from the ICO on how to start preparing for the advent of the GDPR in May 2018.
You should look at the various types of data processing you carry out, identify your legal basis for carrying it out and document it.
Many organisations will not have thought about their legal basis for processing personal data. Under the current law this does not have many practical implications. However, this will be different under the GDPR because some individuals’ rights will be modified depending on your legal basis for processing their personal data. The most obvious example is that people will have a stronger right to have their data deleted where you use consent as your legal basis for processing.
You will also have to explain your legal basis for processing personal data in your privacy notice and when you answer a subject access request. The legal bases in the GDPR are broadly the same as those in the DPA so it should be possible to look at the various types of data processing you carry out and to identify your legal basis for doing so. Again, you should document this in order to help you comply with the GDPR’s ‘accountability’ requirements.
For more details go to the Information Commissioners Office here
Source: ICO – Preparing for the General Data Protection Regulation