By now, most UK-based companies affected by the European Union’s General Data Protection Regulation (GDPR) should be in the advanced stages of preparations for its implementation.

Many of these organisations will have placed heavy emphasis on the consent aspects of GDPR. In reality, however, consent should be the last thing you should rely on when it comes to staying on the right side of the regulation.

Here’s why.

Data collection can be legitimate

By now, you’re most likely aware that the GDPR is designed to give ordinary people more control over their personal data and how it’s used. This may be one reason why so much attention has been given to the question of consent.

It’s important to remember, however, that the regulation doesn’t preclude organisations from gathering data for legitimate reasons.

In fact, Article 6 of the GDPR states that the processing of data is legal if:

  • Processing is necessary for the performance of a contract to which the data subject is party;
  • Processing is necessary for compliance with a legal obligation to which the controller is subject;
  • Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

There is, as you can see, a fair amount to work with there. Before you even begin thinking about consent, it’s worth tightening up whichever of these points most applies to your organisation.

One major reason for focusing on the other provisions of Article 6 is that it could save you a lot of work in the long run.

If you rely solely on consent, you’re going to spend a lot of time cleaning up your communication databases. In the worst instances, you might have to build them from scratch.

When consent is necessary

It’s also worth remembering that consent is only needed in very specific circumstances. Consent is required: when no other legitimate reason exists, to hold sensitive personal data, to export data outside the EU, and for marketing communications.

So, for example, you’ll need consent if you’re sending email marketing to a blended subscriber base where explicit consent was not recorded.

You’ll also need consent if you’re wanting to use the data for a different purpose to what it was originally collected (like marketing to customers).

Outside of those specific examples, however, there’s little reason to rely on consent.

Bad for business

In fact, there are powerful business reasons not to turn to consent for GDPR compliance.

The first, and most obvious, of these reasons is that consent can be revoked. The GDPR explicitly states that you must make it easy for people to exercise their right to withdraw consent.

Another reason consent should be seen as a last resort is that it confers additional rights on the individual. So, if you rely on consent to process personal data and then want to use it for another purpose, you have to get their consent all over again.

Given the other options available and the pitfalls of relying on consent, it’s pretty obvious that it should be your last resort when it comes to GDPR compliance.

Alison Treadaway

Alison Treadaway


Director, Striata