As an organisation that collects personal data of any kind, you must be able to comply with at least one of the six legal bases for processing personal data. These are:
1. Explicit consent: Someone should agree to have their data collected and stored without being tricked in any way.
2. Performance of a contract – Sometimes, you must collect data to create a contract.
3. Legitimate interest – This is probably the most obscure basis. In general, this is when you use data because the subject would expect you to. You can find out more about legitimate interest from the ICO.
4. Vital interest – This might be used in processing health data to save someone’s life.
5. Legal requirement – This is when there is a legal obligation to collect and process data; for example, employers need specific data on their employees.
6. Public interest – This is most likely to be used in civil service and governments.