GDPR Art. 6 requires a lawful basis for every contact's personal data processing — and that basis must be determinable from the record itself, not from institutional memory. Art. 13 requires that data subjects be told the legal basis at the time their data is collected. Without a legal_basis indicator on the provenance record, you cannot demonstrate compliance per-contact or automate consent-status checks. A scraping operation categorized as 'legitimate interest' needs different treatment than a form submission with explicit consent — conflating them because the record carries no basis indicator is a regulatory failure waiting to happen.
Low because the field is supplemental when a separate consent management system carries a foreign key link, but its absence on standalone provenance records breaks GDPR Art. 6 auditability at the contact level.
Add a legal_basis column to the contacts table and populate it at ingestion time based on source type. The value should map directly to one of the GDPR Art. 6 lawful bases.
ALTER TABLE contacts
ADD COLUMN legal_basis TEXT
CHECK (legal_basis IN (
'consent',
'legitimate_interest',
'contract',
'legal_obligation'
));
In the ingestion pipeline, derive the value from source_type:
const LEGAL_BASIS_BY_SOURCE: Record<string, string> = {
form: 'consent',
referral: 'consent',
api: 'legitimate_interest',
scraper: 'legitimate_interest',
purchased: 'legitimate_interest',
}
const legal_basis = LEGAL_BASIS_BY_SOURCE[source.source_type]
For sources where 'consent' applies, the provenance record should also carry a reference to the consent version in effect at ingestion time.
ID: data-sourcing-provenance.provenance-tracking.provenance-consent-context
Severity: low
What to look for: Count all legal basis values defined in the system. Examine the provenance record (or an adjacent consent record) for any indication of what consent or legal basis applies to the contact's data. This does not need to be a full consent management system (the Compliance & Consent Engine Audit covers that) — but the provenance record should at least link to a legal basis indicator: legal_basis ('legitimate_interest', 'consent', 'contract'), a reference to the consent version applicable at ingestion time, or a boolean consent_provided flag. Quote the actual field definition found. Check if this is populated during ingestion for each source type.
Pass criteria: Provenance records include at least 1 legal_basis indicator or a reference to a consent record/version that was applicable at the time of ingestion. The field is populated for all source types.
Fail criteria: Provenance records contain no legal basis or consent context. The system has no way to determine what legal basis applies to a contact's data from the provenance record alone.
Skip (N/A) when: A separate, comprehensive consent management system is in place and provenance records carry a foreign key to consent records (acceptable if the link is explicit and queryable).
Cross-reference: Check data-sourcing-provenance.source-management.source-type-enum — each source type should map to a default legal basis value.
Detail on fail: "Provenance record has no legal_basis field — cannot determine the legal basis for contacting a lead without checking external documentation".
Remediation: Add a legal basis indicator to the provenance record:
ALTER TABLE contacts
ADD COLUMN legal_basis TEXT
CHECK (legal_basis IN ('consent', 'legitimate_interest', 'contract', 'legal_obligation'));
Populate it at ingestion time based on source type (e.g., form submissions → 'consent', scraped contacts → 'legitimate_interest').