The EU General Data Protection Regulation (GDPR) provides for a limited number of bases on which personal data may be processed, and a further small number of exemptions which may be applied where special categories of data are processed. GDPR further protects rights of data subjects, although some of these rights are only engaged where particular lawful bases are used for a given processing purpose.

In health and social care, data is often collected for more than one purpose and different lawful bases may apply to each purpose. It is important to understand the distinction between purpose, lawful basis and data subject rights, so that data subjects can exercise their rights. This is one of the key tests of the duty of lawfulness, fairness and transparency, for which controllers are accountable.

Kaleidoscope helps clients to work through these requirements and to design appropriate controls and communications to enable data subjects to exercise their rights and for the organisation to provide an appropriate response.