Lawful basis recorded per processing activity
Demonstrate that every documented personal data processing activity has an explicitly recorded and justifiable lawful basis under applicable privacy law.
Description
What this control does
This control requires organizations to document the lawful basis for each personal data processing activity in accordance with applicable privacy regulations such as GDPR Article 6, CCPA, or other jurisdictions. Each processing activity recorded in the Record of Processing Activities (RoPA) or similar register must explicitly identify the legal ground (e.g., consent, contractual necessity, legitimate interest, legal obligation, vital interest, or public task) on which the organization relies to process personal data. This ensures transparency, accountability, and defensibility in the event of regulatory inquiry or data subject complaints. Without recorded lawful bases, organizations risk non-compliance penalties and loss of processing rights.
Control objective
What auditing this proves
Demonstrate that every documented personal data processing activity has an explicitly recorded and justifiable lawful basis under applicable privacy law.
Associated risks
Risks this control addresses
- Regulatory enforcement actions and financial penalties for non-compliance with GDPR Article 6, CCPA, or equivalent privacy laws
- Inability to respond adequately to data protection authority inquiries or audits due to missing legal justifications
- Unlawful processing of personal data leading to data subject complaints, reputational damage, and loss of customer trust
- Scope creep in data processing activities without corresponding legal review, resulting in unauthorized secondary uses
- Failure to honor data subject rights (e.g., erasure, objection) due to unclear or invalid lawful bases
- Legal exposure from misapplied lawful bases such as claiming consent when processing is actually required for contractual performance
- Inability to conduct legitimate interest assessments or demonstrate balancing tests when relying on that lawful basis
Testing procedure
How an auditor verifies this control
- Obtain the current Record of Processing Activities (RoPA), data inventory, or processing activity register maintained by the Data Protection Officer or privacy team.
- Select a representative sample of at least 15-20 processing activities spanning different business functions, data types, and processing purposes.
- Verify that each sampled processing activity explicitly documents one or more lawful bases from the applicable legal framework (GDPR Article 6, equivalent jurisdiction).
- Cross-reference processing activities claiming 'consent' as lawful basis with consent management records to confirm valid, documented consent exists.
- For processing activities relying on 'legitimate interest', verify that a Legitimate Interest Assessment (LIA) or balancing test has been conducted and documented.
- Interview business process owners for 3-5 sampled activities to confirm the recorded lawful basis accurately reflects the operational reality and original intent.
- Review data privacy impact assessments (DPIAs) for high-risk processing to confirm consistency between lawful basis documentation and risk analysis.
- Test that lawful basis documentation has been updated when processing purposes or legal grounds have changed by reviewing change logs or version history.
Where this control is tested