As UCanvass is a data collection app, we take GDPR very seriously and comply with all sections of the act. For guidance on GDPR, view the points put in brief below which are up to date as of the latest advice from the Information Commissioner’s Office 22 May 2019.

  • Understanding whether you are processing personal data is critical to understanding whether the GDPR applies to your activities.
  • Personal data is information that relates to an identified or identifiable individual.
  • What identifies an individual could be as simple as a name or a number or could include other identifiers such as an IP address or a cookie identifier, or other factors.
  • If it is possible to identify an individual directly from the information you are processing, then that information may be personal data.
  • If you cannot directly identify an individual from that information, then you need to consider whether the individual is still identifiable. You should take into account the information you are processing together with all the means reasonably likely to be used by either you or any other person to identify that individual.
  • Even if an individual is identified or identifiable, directly or indirectly, from the data you are processing, it is not personal data unless it ‘relates to’ the individual.
  • When considering whether information ‘relates to’ an individual, you need to take into account a range of factors, including the content of the information, the purpose or purposes for which you are processing it and the likely impact or effect of that processing on the individual.
  • It is possible that the same information is personal data for one controller’s purposes but is not personal data for the purposes of another controller.
  • Information which has had identifiers removed or replaced in order to pseudonymise the data is still personal data for the purposes of GDPR.
  • Information which is truly anonymous is not covered by the GDPR.
  • If information that seems to relate to a particular individual is inaccurate (ie it is factually incorrect or is about a different individual), the information is still personal data, as it relates to that individual.
  • The GDPR applies to ‘controllers’ and ‘processors’.
  • A controller determines the purposes and means of processing personal data.
  • A processor is responsible for processing personal data on behalf of a controller. If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.
  • However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
  • The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
  • The GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive, processing for national sec
  • Understanding your role in relation to the personal data you are processing is crucial in ensuring compliance with the GDPR and the fair treatment of individuals.
  • Your obligations under the GDPR will vary depending on whether you are a controller, joint controller or processor.
  • The ICO has the power to take action against controllers and processors under the GDPR.
  • Individuals can bring claims for compensation and damages against both controllers and processors.
  • You should take the time to assess, and document, the status of each organisation you work with in respect of all the personal data and processing activities you carry out.
  • Whether you are a controller or processor depends on a number of issues. The key question is – who determines the purposes for which the data are processed and the means of processing?
  • Organisations that determine the purposes and means of processing will be controllers regardless of how they are described in any contract about processing services.
  • The GDPR sets out seven key principles:
    • Lawfulness, fairness and transparency
    • Purpose limitation
    • Data minimisation
    • Accuracy
    • Storage limitation
    • Integrity and confidentiality (security)
    • Accountability
  • These principles should lie at the heart of your approach to processing personal data.
  • You must identify valid grounds under the GDPR (known as a ‘lawful basis’) for collecting and using personal data.
  • You must ensure that you do not do anything with the data in breach of any other laws.
  • You must use personal data in a way that is fair. This means you must not process the data in a way that is unduly detrimental, unexpected or misleading to the individuals concerned.
  • You must be clear, open and honest with people from the start about how you will use their personal data.
  • You must be clear about what your purposes for processing are from the start.
  • You need to record your purposes as part of your documentation obligations and specify them in your privacy information for individuals.
  • You can only use the personal data for a new purpose if either this is compatible with your original purpose, you get consent, or you have a clear obligation or function set out in law.

You must ensure the personal data you are processing is:

  • adequate – sufficient to properly fulfil your stated purpose;
  • relevant – has a rational link to that purpose; and
  • limited to what is necessary – you do not hold more than you need for that purpose.
  • You should take all reasonable steps to ensure the personal data you hold is not incorrect or misleading as to any matter of fact.
  • You may need to keep the personal data updated, although this will depend on what you are using it for.
  • If you discover that personal data is incorrect or misleading, you must take reasonable steps to correct or erase it as soon as possible.
  • You must carefully consider any challenges to the accuracy of personal data.
  • You must not keep personal data for longer than you need it.
  • You need to think about – and be able to justify – how long you keep personal data.
  • This will depend on your purposes for holding the data.
  • You need a policy setting standard retention periods wherever possible, to comply with documentation requirements.
  • You should also periodically review the data you hold, and erase or anonymise it when you no longer need it.
  • You must carefully consider any challenges to your retention of data. Individuals have a right to erasure if you no longer need the data.
  • You can keep personal data for longer if you are only keeping it for public interest archiving, scientific or historical research, or statistical purposes.
  • You must have a valid lawful basis in order to process personal data.
  • There are six available lawful bases for processing. No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the individual.
  • Most lawful bases require that processing is ‘necessary’ for a specific purpose. If you can reasonably achieve the same purpose without the processing, you won’t have a lawful basis.
  • You must determine your lawful basis before you begin processing, and you should document it. The Information Commissioner’s Office has an interactive tool to help you.
  • Take care to get it right first time – you should not swap to a different lawful basis at a later date without good reason. In particular, you cannot usually swap from consent to a different basis.
  • Your privacy notice should include your lawful basis for processing as well as the purposes of the processing.
  • If your purposes change, you may be able to continue processing under the original lawful basis if your new purpose is compatible with your initial purpose (unless your original lawful basis was consent).
  • If you are processing special category data you need to identify both a lawful basis for general processing and an additional condition for processing this type of data.
  • If you are processing criminal conviction data or data about offences you need to identify both a lawful basis for general processing and an additional condition for processing this type of data.
  • The GDPR sets a high standard for consent. But you often won’t need consent. If consent is difficult, look for a different lawful basis.
  • Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation.
  • Check your consent practices and your existing consents. Refresh your consents if they don’t meet the GDPR standard.
  • Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent.
  • Explicit consent requires a very clear and specific statement of consent.
  • Keep your consent requests separate from other terms and conditions.
  • Be specific and ‘granular’ so that you get separate consent for separate things. Vague or blanket consent is not enough.
  • Be clear and concise.
  • Name any third party controllers who will rely on the consent.
  • Make it easy for people to withdraw consent and tell them how.
  • Keep evidence of consent – who, when, how, and what you told people.
  • Keep consent under review, and refresh it if anything changes.
  • Avoid making consent to processing a precondition of a service.
  • Public authorities and employers will need to take extra care to show that consent is freely given, and should avoid over-reliance on consent.
  • You can rely on this lawful basis if you need to process someone’s personal data:
    • to deliver a contractual service to them; or
    • because they have asked you to do something before entering into a contract (eg provide a quote).
  • The processing must be necessary. If you could reasonably do what they want by processing less data, or using their data in a less intrusive way, this basis will not apply.
  • You should document your decision to rely on this lawful basis and ensure that you can justify your reasoning.
  • You can rely on this lawful basis if you need to process the personal data to comply with a common law or statutory obligation.
  • This does not apply to contractual obligations.
  • The processing must be necessary. If you can reasonably comply without processing the personal data, this basis does not apply.
  • You should document your decision to rely on this lawful basis and ensure that you can justify your reasoning.
  • You should be able to either identify the specific legal provision or an appropriate source of advice or guidance that clearly sets out your obligation.
  • You are likely to be able to rely on vital interests as your lawful basis if you need to process the personal data to protect someone’s life.
  • The processing must be necessary. If you can reasonably protect the person’s vital interests in another less intrusive way, this basis will not apply.
  • You cannot rely on vital interests for health data or other special category data if the individual is capable of giving consent, even if they refuse their consent.
  • You should consider whether you are likely to rely on this basis, and if so document the circumstances where it will be relevant and ensure you can justify your reasoning.
  • You can rely on this lawful basis if you need to process personal data:
    • ‘in the exercise of official authority’. This covers public functions and powers that are set out in law; or
    • to perform a specific task in the public interest that is set out in law.
  • It is most relevant to public authorities, but it can apply to any organisation that exercises official authority or carries out tasks in the public interest.
  • You do not need a specific statutory power to process personal data, but your underlying task, function or power must have a clear basis in law.
  • The processing must be necessary. If you could reasonably perform your tasks or exercise your powers in a less intrusive way, this lawful basis does not apply.
  • Document your decision to rely on this basis to help you demonstrate compliance if required. You should be able to specify the relevant task, function or power, and identify its statutory or common law basis.
  • Legitimate interests is the most flexible lawful basis for processing, but you cannot assume it will always be the most appropriate.
  • It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.
  • If you choose to rely on legitimate interests, you are taking on extra responsibility for considering and protecting people’s rights and interests.
  • Public authorities can only rely on legitimate interests if they are processing for a legitimate reason other than performing their tasks as a public authority.
  • There are three elements to the legitimate interests basis. It helps to think of this as a three-part test. You need to:
    • identify a legitimate interest;
    • show that the processing is necessary to achieve it; and
    • balance it against the individual’s interests, rights and freedoms.
  • The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.
  • The processing must be necessary. If you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply.
  • You must balance your interests against the individual’s. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests.
  • Keep a record of your legitimate interests assessment (LIA) to help you demonstrate compliance if required.
  • You must include details of your legitimate interests in your privacy information.
  • Special category data is personal data that needs more protection because it is sensitive.
  • In order to lawfully process special category data, you must identify both a lawful basis under Article 6 of the GDPR and a separate condition for processing under Article 9. These do not have to be linked.
  • There are 10 conditions for processing special category data in Article 9 of the GDPR.
  • Five of these require you to meet additional conditions and safeguards set out in UK law, in Schedule 1 of the DPA 2018.
  • You must determine your condition for processing special category data before you begin this processing under the GDPR, and you should document it.
  • In many cases you also need an ‘appropriate policy document ’ in place in order to meet a UK Schedule 1 condition for processing in the DPA 2018.
  • You need to complete a data protection impact assessment (DPIA) for any type of processing which is likely to be high risk. You must therefore be aware of the risks of processing the special category data.
  • To process personal data about criminal convictions or offences, you must have both a lawful basis under Article 6 and either legal authority or official authority for the processing under Article 10.
  • The Data Protection Act 2018 deals with this type of data in a similar way to special category data, and sets out specific conditions providing lawful authority for processing it.
  • You can also process this type of data if you have official authority to do so because you are processing the data in an official capacity.
  • You cannot keep a comprehensive register of criminal convictions unless you do so in an official capacity.
  • You must determine your condition for lawful processing of offence data (or identify your official authority for the processing) before you begin the processing, and you should document this.
  • Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR.
  • You must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’.
  • You must provide privacy information to individuals at the time you collect their personal data from them.
  • If you obtain personal data from other sources, you must provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month.
  • There are a few circumstances when you do not need to provide people with privacy information, such as if an individual already has the information or if it would involve a disproportionate effort to provide it to them.
  • The information you provide to people must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language.
  • It is often most effective to provide privacy information to people using a combination of different techniques including layering, dashboards, and just-in-time notices.
  • User testing is a good way to get feedback on how effective the delivery of your privacy information is.
  • You must regularly review, and where necessary, update your privacy information. You must bring any new uses of an individual’s personal data to their attention before you start the processing.
  • Getting the right to be informed correct can help you to comply with other aspects of the GDPR and build trust with people, but getting it wrong can leave you open to fines and lead to reputational damage.
  • Individuals have the right to access their personal data.
  • This is commonly referred to as subject access.
  • Individuals can make a subject access request verbally or in writing.
  • You have one month to respond to a request.
  • You cannot charge a fee to deal with a request in most circumstances.
  • The GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete.
  • An individual can make a request for rectification verbally or in writing.
  • You have one calendar month to respond to a request.
  • In certain circumstances you can refuse a request for rectification.
  • This right is closely linked to the controller’s obligations under the accuracy principle of the GDPR (Article (5)(1)(d)).
  • The GDPR introduces a right for individuals to have personal data erased.
  • The right to erasure is also known as ‘the right to be forgotten’.
  • Individuals can make a request for erasure verbally or in writing.
  • You have one month to respond to a request.
  • The right is not absolute and only applies in certain circumstances.
  • This right is not the only way in which the GDPR places an obligation on you to consider whether to delete personal data.
  • Individuals have the right to request the restriction or suppression of their personal data.
  • This is not an absolute right and only applies in certain circumstances.
  • When processing is restricted, you are permitted to store the personal data, but not use it.
  • An individual can make a request for restriction verbally or in writing.
  • You have one calendar month to respond to a request.
  • This right has close links to the right to rectification (Article 16) and the right to object (Article 21).
  • The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.
  • It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.
  • Doing this enables individuals to take advantage of applications and services that can use this data to find them a better deal or help them understand their spending habits.
  • The right only applies to information an individual has provided to a controller.
  • Some organisations in the UK already offer data portability through midata and similar initiatives which allow individuals to view, access and use their personal consumption and transaction data in a way that is portable and safe.
  • The GDPR gives individuals the right to object to the processing of their personal data in certain circumstances.
  • Individuals have an absolute right to stop their data being used for direct marketing.
  • In other cases where the right to object applies you may be able to continue processing if you can show that you have a compelling reason for doing so.
  • You must tell individuals about their right to object.
  • An individual can make an objection verbally or in writing.
  • You have one calendar month to respond to an objection.
  • The GDPR has provisions on:
    • automated individual decision-making (making a decision solely by automated means without any human involvement); and
    • profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process.
  • The GDPR applies to all automated individual decision-making and profiling.
  • Article 22 of the GDPR has additional rules to protect individuals if you are carrying out solely automated decision-making that has legal or similarly significant effects on them.
  • You can only carry out this type of decision-making where the decision is:
    • necessary for the entry into or performance of a contract; or
    • authorised by Union or Member state law applicable to the controller; or
    • based on the individual’s explicit consent.
  • You must identify whether any of your processing falls under Article 22 and, if so, make sure that you:
    • give individuals information about the processing;
    • introduce simple ways for them to request human intervention or challenge a decision;
    • carry out regular checks to make sure that your systems are working as intended.
  • Accountability is one of the data protection principles – it makes you responsible for complying with the GDPR and says that you must be able to demonstrate your compliance.
  • You need to put in place appropriate technical and organisational measures to meet the requirements of accountability.
  • There are a number of measures that you can, and in some cases must, take including:
    • adopting and implementing data protection policies;
    • taking a ‘data protection by design and default’ approach;
    • putting written contracts in place with organisations that process personal data on your behalf;
    • maintaining documentation of your processing activities;
    • implementing appropriate security measures;
    • recording and, where necessary, reporting personal data breaches;
    • carrying out data protection impact assessments for uses of personal data that are likely to result in high risk to individuals’ interests;
    • appointing a data protection officer; and
    • adhering to relevant codes of conduct and signing up to certification schemes.
  • Accountability obligations are ongoing. You must review and, where necessary, update the measures you put in place.
  • If you implement a privacy management framework this can help you embed your accountability measures and create a culture of privacy across your organisation.
  • Being accountable can help you to build trust with individuals and may help you mitigate enforcement action.
  • Whenever a controller uses a processor, there must be a written contract (or other legal act) in place.
  • The contract is important so that both parties understand their responsibilities and liabilities.
  • The GDPR sets out what needs to be included in the contract.
  • If a processor uses another organisation (ie a sub-processor) to assist in its processing of personal data for a controller, it needs to have a written contract in place with that sub-processor.
  • The GDPR contains explicit provisions about documenting your processing activities.
  • You must maintain records on several things such as processing purposes, data sharing and retention.
  • You may be required to make the records available to the ICO on request.
  • Documentation can help you comply with other aspects of the GDPR and improve your data governance.
  • Controllers and processors both have documentation obligations.
  • For small and medium-sized organisations, documentation requirements are limited to certain types of processing activities.
  • Information audits or data-mapping exercises can feed into the documentation of your processing activities.
  • Records must be kept in writing.
  • Most organisations will benefit from maintaining their records electronically.
  • Records must be kept up to date and reflect your current processing activities.
  • We have produced some basic templates to help you document your processing activities.
  • The GDPR requires you to put in place appropriate technical and organisational measures to implement the data protection principles and safeguard individual rights. This is ‘data protection by design and by default’.
  • In essence, this means you have to integrate or ‘bake in’ data protection into your processing activities and business practices, from the design stage right through the lifecycle.
  • This concept is not new. Previously known as ‘privacy by design’, it has always been part of data protection law. The key change with the GDPR is that it is now a legal requirement.
  • Data protection by design is about considering data protection and privacy issues upfront in everything you do. It can help you ensure that you comply with the GDPR’s fundamental principles and requirements, and forms part of the focus on accountability.
  • A Data Protection Impact Assessment (DPIA) is a process to help you identify and minimise the data protection risks of a project.
  • You must do a DPIA for processing that is likely to result in a high risk to individuals. This includes some specified types of processing. You can use our screening checklists to help you decide when to do a DPIA.
  • It is also good practice to do a DPIA for any other major project which requires the processing of personal data.
  • Your DPIA must:
    • describe the nature, scope, context and purposes of the processing;
    • assess necessity, proportionality and compliance measures;
    • identify and assess risks to individuals; and
    • identify any additional measures to mitigate those risks.
  • To assess the level of risk, you must consider both the likelihood and the severity of any impact on individuals. High risk could result from either a high probability of some harm, or a lower possibility of serious harm.
  • You should consult your data protection officer (if you have one) and, where appropriate, individuals and relevant experts. Any processors may also need to assist you.
  • If you identify a high risk that you cannot mitigate, you must consult the ICO before starting the processing.
  • If you are processing for law-enforcement purposes, you should read the Guide to Law Enforcement Processing.
  • The ICO will give written advice within eight weeks, or 14 weeks in complex cases. If appropriate, we may issue a formal warning not to process the data, or ban the processing altogether.
  • The GDPR introduces a duty for you to appoint a data protection officer (DPO) if you are a public authority or body, or if you carry out certain types of processing activities.
  • DPOs assist you to monitor internal compliance, inform and advise on your data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the supervisory authority.
  • The DPO must be independent, an expert in data protection, adequately resourced, and report to the highest management level.
  • A DPO can be an existing employee or externally appointed.
  • In some cases several organisations can appoint a single DPO between them.
  • DPOs can help you demonstrate compliance and are part of the enhanced focus on accountability.
  • Codes of conduct enable a sector to own and resolve key data protection challenges. The ICO see these as a way of demonstrating accountability and encourage trade associations and bodies who are able to speak on behalf of a group of organisations, to create codes of conduct.
  • Using an ICO approved code of conduct give assurance that the code and its monitoring is appropriate and will help you to apply the GDPR effectively.
  • Codes of conduct should reflect the requirements of different processing sectors and takes account of the specific needs of small and medium sized enterprises.
  • Trade associations or bodies who are able to speak on behalf of a group of organisations can create, amend or extend codes of conduct to help their sector comply with the GDPR in a practical, transparent and cost-effective way.
  • Signing up to a code of conduct is voluntary. However, if there is an approved code of conduct, relevant to your processing, you should consider signing up.
  • A code of conduct can help you to reflect on your processing activities and ensure you follow rules designed for your sector to achieve best practice.
  • A draft code of conduct must be submitted to us for approval and will be assessed against specific criteria to ensure that it meets the expected standard.
  • A code of conduct will describe the appropriate monitoring mechanisms and (where applicable) the monitoring bodies that will be accredited to monitor compliance as part of the code approval process.
  • Certification is a way to demonstrate your compliance with the GDPR and enhance transparency.
  • Certification criteria should reflect the needs of small and medium sized enterprises.
  • Certification criteria are approved by the ICO and certification issued by accredited certification bodies.
  • Certification will be issued to data controllers and data processors in relation to specific processing activities.
  • Applying for certification is voluntary. However, if there is an approved certification scheme that covers your processing activity, you may wish to consider having your processing activities certified as it can help you demonstrate compliance to the regulator, the public and in your business to business relationships.
  • A key principle of the GDPR is that you process personal data securely by means of ‘appropriate technical and organisational measures’ – this is the ‘security principle’.
  • Doing this requires you to consider things like risk analysis, organisational policies, and physical and technical measures.
  • You also have to take into account additional requirements about the security of your processing – and these also apply to data processors.
  • You can consider the state of the art and costs of implementation when deciding what measures to take – but they must be appropriate both to your circumstances and the risk your processing poses.
  • Where appropriate, you should look to use measures such as pseudonymisation and encryption.
  • Your measures must ensure the ‘confidentiality, integrity and availability’ of your systems and services and the personal data you process within them.
  • The measures must also enable you to restore access and availability to personal data in a timely manner in the event of a physical or technical incident.
  • You also need to ensure that you have appropriate processes in place to test the effectiveness of your measures, and undertake any required improvements.
  • The GDPR requires you to implement appropriate technical and organisational measures to ensure you process personal data securely.
  • Article 32 of the GDPR includes encryption as an example of an appropriate technical measure, depending on the nature and risks of your processing activities.
  • Encryption is a widely-available measure with relatively low costs of implementation. There is a large variety of solutions available.
  • You should have an encryption policy in place that governs how and when you implement encryption, and you should also train your staff in the use and importance of encryption.
  • When storing or transmitting personal data, you should use encryption and ensure that your encryption solution meets current standards. You should be aware of the residual risks of encryption, and have steps in place to address these.
  • Although the GDPR does not say anything specific about passwords, you are required to process personal data securely by means of appropriate technical and organisational measures.
  • Passwords are a commonly-used means of protecting access to systems that process personal data. Therefore, any password setup that you implement must be appropriate to the particular circumstances of this processing.
  • You should consider whether there are any better alternatives to using passwords.
  • Any password system you deploy must protect against theft of stored passwords and ‘brute-force’ or guessing attacks.
  • There are a number of additional considerations you will need to take account of when designing your password system, such as the use of an appropriate hashing algorithm to store your passwords, protecting the means by which users enter their passwords, defending against common attacks and the use of two-factor authentication.
  • The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible.
  • If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay.
  • You should ensure you have robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether or not you need to notify the relevant supervisory authority and the affected individuals.
  • You must also keep a record of any personal data breaches, regardless of whether you are required to notify.
  • The GDPR primarily applies to controllers and processors located in the European Economic Area (the EEA) with some exceptions.
  • Individuals risk losing the protection of the GDPR if their personal data is transferred outside of the EEA.
  • On that basis, the GDPR restricts transfers of personal data outside the EEA, or the protection of the GDPR, unless the rights of the individuals in respect of their personal data is protected in another way, or one of a limited number of exceptions applies.
  • A transfer of personal data outside the protection of the GDPR (which we refer to as a ‘restricted transfer’), most often involves a transfer from inside the EEA to a country outside the EEA.
  • The GDPR and the Data Protection Act 2018 set out exemptions from some of the rights and obligations in some circumstances.
  • Whether or not you can rely on an exemption often depends on why you process personal data.
  • You should not routinely rely on exemptions; you should consider them on a case-by-case basis.
  • You should justify and document your reasons for relying on an exemption. If no exemption covers what you do with personal data, you need to comply with the GDPR as normal.