“You Always Need Consent Under GDPR”: Unpacking Lawful Bases and Dispelling a UK Myth

When people talk about the UK GDPR, consent often dominates the conversation. Many small business owners, freelancers, and marketers believe that to process any personal data, you always need explicit consent. This widespread belief is perhaps one of the most common and misleading of all UK GDPR consent myths. It can lead to unnecessary burdens for businesses or, conversely, prevent them from lawfully processing data they need.

Consent is just one tool in the UK GDPR toolbox. Imagine you have six equally valid tools, each suited for different situations. Relying solely on consent means you’re missing out on five other perfectly legitimate ways to handle data. This article will challenge the widespread belief that consent is the only lawful basis for processing personal data under UK GDPR. We’ll unpack this particular UK GDPR consent myth, explaining legitimate interest, contract, and other vital legal bases, helping you understand when and how to use them.

Myth vs. Fact: Unpacking UK GDPR Consent Myths

Let’s address this central misconception:

Myth: “You always need to get consent from individuals before you can collect or use their personal data under UK GDPR.”

Fact: “Consent is just one of six lawful bases under UK GDPR. You must have a lawful basis, but it doesn’t always have to be consent.”

This is a fundamental principle of UK GDPR that often gets overlooked. While consent is certainly a valid basis, it can be the most challenging to manage. It requires specific, informed, and unambiguous agreement. It also comes with the right for individuals to withdraw it at any time. Thankfully, the UK GDPR provides five other lawful bases that might be more appropriate for your processing activities. Understanding these helps debunk the UK GDPR consent myths.

The Six Lawful Bases for Processing Personal Data under UK GDPR

For any processing of personal data, you must identify and document one of these six lawful bases:

1. Consent (Article 6(1)(a))

• When to use it: When you offer individuals a genuine choice and control over their data, and they freely agree. Common uses include marketing newsletters or optional website cookies.
• Requirements: Must be freely given, specific, informed, and an unambiguous indication of the individual’s wishes. It must be easy to withdraw consent. You also need to keep records of when and how consent was obtained.
• Why it’s not always ideal: It can be difficult to manage, especially if you rely on it for core business functions that aren’t optional. If consent is withdrawn, you can no longer process that data for that purpose. This is a common reason why consent isn’t always the best fit, contrary to popular UK GDPR consent myths.

2. Contract (Article 6(1)(b))

• When to use it: When processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
• Examples for a UK Business:
  • Processing a customer’s address to deliver a product they purchased.
  • Using an employee’s bank details to pay their salary.
  • Collecting a client’s project requirements to fulfil a service agreement.
• Key point: The processing must be necessary for the contract, not just convenient.

3. Legal Obligation (Article 6(1)(c))

• When to use it: When processing is necessary for you to comply with a common law or statutory obligation.
• Examples for a UK Business:
  • Reporting financial information to HMRC.
  • Providing employee data to government bodies as required by law.
  • Sharing data with law enforcement if legally compelled.
• Key point: The law doesn’t have to explicitly say “you must process personal data.” It just needs to be clearly necessary for you to meet a legal duty.

4. Vital Interests (Article 6(1)(d))

• When to use it: When processing is necessary to protect someone’s life. This is usually a very rare basis.
• Examples:
  • A medical professional sharing patient data in an emergency to save their life.
  • A care home sharing resident information with paramedics during a health crisis.
• Key point: This basis is for life-or-death situations and cannot be used for any other purpose.

5. Public Task (Article 6(1)(e))

• When to use it: When processing is necessary for you to perform a task in the public interest or for your official functions. This basis primarily applies to public authorities.
• Examples:
  • A local council processing residents’ data for planning permission applications.
  • A government department using data to provide public services.
• Key point: This basis is generally not relevant for private small businesses or freelancers unless they are performing tasks with a clear public interest mandate.

6. Legitimate Interests (Article 6(1)(f))

• When to use it: This is often the most flexible basis for private sector organisations after ‘Contract’. You can use it when processing is necessary for your legitimate interests or those of a third party, unless those interests are overridden by the individual’s rights and interests.
• Requirements: You must conduct a “Legitimate Interests Assessment” (LIA). This involves a three-part test:
  1. Purpose Test: Is there a legitimate interest for the processing?
  2. Necessity Test: Is the processing necessary to achieve that interest?
  3. Balancing Test: Do the individual’s rights and interests override your legitimate interest?
• Examples for a UK Business:
  • Preventing fraud.
  • Network and information security (e.g., monitoring website traffic for cyber threats).
  • Direct marketing activities (where appropriate and not intrusive).
  • Internal administrative purposes (e.g., data sharing within a group of companies).
  • Improving existing services.
• Key point: You must be able to justify your decision and document your LIA. This basis should not be used if a fundamental right of the individual is likely to be disproportionately impacted.

When NOT to Rely on Consent (and why other bases are better)

Relying solely on consent can be problematic, especially for core business functions. This is why debunking UK GDPR consent myths is so important.

• Complexity: Managing consent can be a significant administrative burden. You need robust systems to record, track, and honour withdrawals of consent.
• Withdrawal: Individuals can withdraw consent at any time. If you rely on consent for a crucial service, and it’s withdrawn, you might no longer be able to provide that service.
• Genuine Choice: For consent to be valid, it must be freely given. If processing is a non-negotiable part of a service, then consent isn’t truly “free.” In such cases, another lawful basis (like ‘Contract’) would be more appropriate.

For example, you don’t need consent to process an employee’s bank details for payroll. This is necessary for your employment contract with them and likely a legal obligation (e.g., tax reporting). Similarly, you don’t need consent to process a customer’s address to send them a product they’ve bought – this falls under ‘Contract’.

Practical Steps for Your UK Business

To avoid falling prey to the UK GDPR consent myths:

1. Review All Data Processing: For every type of personal data you collect and use, identify its specific purpose.
2. Determine Your Lawful Basis: For each purpose, identify the most appropriate lawful basis from the six options. Don’t automatically default to consent.
3. Document Your Decisions: This is crucial for UK GDPR accountability. Keep records of why you chose a particular lawful basis for each processing activity. If you rely on Legitimate Interests, document your Legitimate Interests Assessment (LIA).
4. Update Privacy Notices: Your privacy notice must clearly state the lawful basis for each type of personal data processing. This provides transparency to individuals.
5. Understand the Implications: Be clear on what each lawful basis means. For example, if you rely on consent for marketing, ensure you have a clear way for individuals to withdraw it.

Dispelling the UK GDPR Consent myth: A Smarter Approach to UK Data Protection

The belief that you always need consent under UK GDPR is indeed a widespread and unhelpful myth. By understanding and properly applying all six lawful bases, your UK business can operate more efficiently and compliantly. This approach ensures your data processing activities are proportionate and justified. It also frees you from the administrative burden of seeking consent where other, more suitable bases exist. Embrace the full toolbox of lawful bases. This will empower your business to handle personal data confidently and in line with UK GDPR requirements.