Question: Are lawful bases and purposes of processing documented and approved for all personal-data activities?
Why This Matters
Explicitly recording lawful bases (consent, contract, legitimate interest) provides defensibility and ensures alignment with privacy principles.
Maturity
0 — Unaware
No awareness of lawful basis concept.
No awareness of lawful basis concept.
1 — Ad Hoc
Assumed consent without records.
Assumed consent without records.
2 — Defined
Lawful basis documented per process.
Lawful basis documented per process.
3 — Managed
DPO reviews basis changes; training delivered.
DPO reviews basis changes; training delivered.
4 — Integrated
Register links basis to purpose and retention.
Register links basis to purpose and retention.
5 — Optimized
Automated validation during project intake.
Automated validation during project intake.
How to Level Up
| From → To | Actions |
|---|---|
| 0 → 1 | Identify core processing activities. |
| 1 → 2 | Document lawful basis for each activity. |
| 2 → 3 | DPO review and approval workflow. |
| 3 → 4 | Link to register and policy repository. |
| 4 → 5 | Integrate checklist into change management. |
Enablers
- People: DPO, Process Owners, Legal
- Process: Review cycle per new activity
- Technology: GRC workflow tool, privacy register
Evidence
- Lawful-basis matrix
- Approval records
- Training completion reports
KPIs
- Number of activities with approved basis
- Percentage reviewed annually
- Average approval turnaround time
Low-Cost / Open-Source Options (MSME)
| Purpose | Tool | Notes |
|---|---|---|
| Workflow | Google Forms + Sheets | Simple approval log |
| Register | Airtable | Link basis to purpose |
| Awareness | Moodle | Staff training module |
Common Pitfalls
- “Default consent” for everything
- No evidence of review
- Purpose creep between departments
Compliance Mapping
| Standard | Clauses / Notes |
|---|---|
| ISO/IEC 27701 | 7.2.2 (Lawful basis) |
| DPDP Act 2023 | Sec 5–7 (Lawful purpose and consent) |
| GDPR | Art. 6 |
| NIST CSF 2.0 | ID.DP-02 |
| NIRMATA Mapping | PD-Q03 establishes processing legitimacy. |