In the course of advising businesses on the new data regulations, the above is a question that frequently crops up. Businesses want to know whether or not they need individuals' consent alone to process personal data. The simple answer is that consent is not necessary - it is merely one of various lawful bases to process data, but it is commonly used. 

The GDPR, which seeks to protect individuals’ data and enhance their privacy, stipulates that businesses must only process personal data when there is one of several grounds available. These grounds are known as lawful bases. A business therefore needs a lawful basis to process personal data. Without a lawful basis, a business unlawfully processes personal data. Examples of lawful bases include:

1. Where a business pursues its legitimate interests;

2. If an individual enters into a contract with the business for the latter to process data;

3. Where it is of vital interest that data be processed (think a person needing an emergency operation); and

4. The individual’s consent is also a lawful basis.

While in practice consent is frequently relied upon, on many occasions it will not be the correct adequate lawful basis to rely on. Another lawful basis, such as legitimate interests, may need to be considered in such circumstances. Legitimate interests is broadly defined, but includes circumstances where it is reasonable for the business to further its objectives. 

It may well be that you have a myriad of questions on GDPR. Even though it has been in force since May 2018, lots of small businesses in particular are grappling with its effects and, to some extent, the Information Commissioner's Office, appreciates this.

If you require any advice on the GDPR, please contact Markel Law and we would be more than willing to assist you.

At Markel Law we regularly comment on SME related matters.

Follow this link to find out more about Markel Law and how we can assist your business.