Digitise \ Capture \ Integrate

020 7732 3223

Do You Always Need Consent to Process Personal Data?

Contact the Digital Transformation Experts

Ready to start your digital transformation journey? Contact Dajon today for a free no-obligation consultation!

Contact Us

When most people think about GDPR and data protection, one word immediately comes to mind: Consent.

It makes sense. After all, the idea of asking someone’s permission before using their personal data feels like the most natural and respectful thing to do. But here’s the catch: Under the UK GDPR, consent is only one of six lawful bases for processing personal data.

In fact, in many cases, consent isn’t the best – or even the correct – option. For day-to-day business activities, like paying staff, fulfilling customer orders, or meeting legal obligations, other bases are far more suitable.

The real requirement under GDPR is simple but crucial: You must identify the correct lawful basis for each activity, and be transparent about it. Once you’ve done that, you can process data with confidence, knowing you’re meeting both legal requirements and ethical expectations.

Let’s unpack the six lawful bases and look at how they work in practice.

This is the one everyone knows. Consent means the individual has given a clear, specific, and informed agreement for their data to be used for a particular purpose.

  • Example: A customer ticks a box to receive your marketing emails or chooses to opt into a loyalty programme.

The key with consent is that it must be freely given, unambiguous, and easy to withdraw. You can’t bundle consent into terms & conditions, and you can’t rely on silence or pre-ticked boxes.

When to use it: Consent is best when people genuinely have a choice, like opting into communications or signing up for optional services.

When not to use it: If the activity is something the individual can’t realistically refuse – such as processing payroll data for employees – consent isn’t valid.

2. Contract

This basis applies when processing data is necessary to deliver a service under a contract or to take steps before entering into one.

  • Example: Collecting a customer’s delivery address when they order something online, or storing an employee’s bank details to pay their salary.

If you couldn’t provide the product or service without using the data, then contract is likely the right lawful basis.

Key point: This isn’t a “catch-all” for anything business-related. It only applies where processing is essential for the contract itself.

Sometimes, the law requires you to process personal data. In these situations, consent isn’t needed because compliance is mandatory.

  • Example: An employer sharing payroll data with HMRC, or a company maintaining health and safety records to meet regulatory requirements.

This basis ensures organisations can meet statutory duties without worrying about invalid consent.

Remember: If a specific law requires the data, this is the lawful basis you should use.

4. Vital Interests

This basis is less common but critically important. It applies when processing is necessary to protect someone’s life.

  • Example: In a medical emergency, doctors may access a patient’s records without waiting for consent. Similarly, emergency services might share information to prevent serious harm.

This lawful basis is narrowly applied; it’s really about life-or-death situations, not everyday business operations.

5. Public Task

This one usually applies to public authorities and organisations carrying out tasks in the public interest.

  • Example: A local council processing data for electoral registers or a government body collecting census data.

For most private companies, this lawful basis won’t apply, but it’s a cornerstone of GDPR for the public sector.

6. Legitimate Interests

Perhaps the most flexible of the lawful bases, legitimate interests allow organisations to process data when there’s a genuine business or organisational reason – so long as this doesn’t override individuals’ rights and freedoms.

  • Example: Using CCTV for workplace security, fraud prevention, or even certain types of direct marketing.

The key here is balance. You must carry out a legitimate interests assessment to weigh your business needs against the potential impact on the individual. If the data subject’s rights take priority, you can’t rely on this basis.

Putting It All Together

So, do you always need consent to process personal data? No.

Consent is important, but it’s not always appropriate. And sometimes, relying on it can actually weaken your compliance. Imagine asking employees to “consent” to their salary being processed: they don’t really have a choice, which makes the consent invalid. In that scenario, the correct basis is contract or legal obligation.

The real takeaway is this:

  • Identify the correct lawful basis for each type of processing.
  • Document your decision so you can demonstrate compliance.
  • Be transparent with individuals by explaining how and why their data is being used.

Once you do that, you’re not just ticking GDPR boxes; you’re building trust, showing accountability, and protecting both your organisation and the people whose data you handle.

GDPR isn’t about stopping you from using data. It’s about making sure you do it responsibly, fairly, and with clarity. Consent is just one piece of the puzzle – the real power lies in choosing the right basis for the right purpose.

Related posts

DUAA 2025: What It Means for Your Organisation
Empowering Sustainable Business Practices: The Role of Data Integration in ESG Success
The Role of Unstructured Data in Digital Transformation
Data Controller vs. Data Processor: Untangling One of GDPR’s Most Important Distinctions
What Rights Do Individuals Have Over Their Personal Data?