Lawfulness of Processing
Description
Processing is lawful only if and to the extent at least one lawful basis applies: consent, contract, legal obligation, vital interests, public task, legitimate interests.
⚠️ Risk Impact
Most processing relies on consent or legitimate interests. Both have specific requirements; sloppy implementation produces enforcement risk.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as high-severity findings with remediation guidance.
🔧 Remediation
Document lawful basis per processing activity. Maintain consent records (timestamp, scope, mechanism). Legitimate interest assessments documented. Allow withdrawal.
💀 Real-World Attack Scenario
An e-commerce company sent marketing emails citing 'legitimate interest' without documented assessment. CNIL determined the legitimate interest assessment was inadequate; €1.2M fine + cease processing for non-consenting users.
💰 Cost of Non-Compliance
Article 6 violations: up to €20M / 4% revenue. CNIL enforcement: €1.2M+ in recent cases.
📋 Audit Questions
- 1.Lawful basis documented per processing activity?
- 2.Consent records?
- 3.Legitimate interest assessments?
- 4.Withdrawal mechanism?
⚡ Common Pitfalls
- ⛔Defaulting to 'legitimate interest' without assessment
- ⛔Consent UX that doesn't meet 'freely given' standard
- ⛔No withdrawal mechanism
📈 Business Value
Documented lawful basis is foundational to GDPR defense.
⏱️ Effort Estimate
Per-activity documentation
EchelonGraph maintains processing register
🔗 Cross-Framework References
Automate GDPR Art6 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →