Dispelling the "consent" myth

Published On:Friday, May 25, 2018

There continues to be large amounts of misinformation and myths with regard to the General Data Protection Regulation (GDPR) which businesses and organisations that process personal data must be wary of.

In particular, there is a mistaken belief that consent is required to continue to process personal data.  This is incorrect and data protection authorities have been at pains to emphasise this.


The GDPR provides a number of conditions which may be relied upon to ensure processing of personal data is lawful, one of which is consent.

Where a business has an existing relationship with customers who have purchased goods or services from you, then it is likely that one of the other conditions, for example a contract for services or the legitimate interests condition will apply, and consent will not be required.

Even in circumstances where consent was relied upon, for example a person is a member of a sports club or voluntary organisation, it is not necessary to renew consent to continue to process that member’s personal data.


All businesses and organisations do need to review their processing of personal data and make sure they know what personal data they process, why they process it, what measures are needed to keep that data secure and how long they keep it.

Having done so you need to explain these reasons to your customers, clients or members.

Providing clear information about the processing of personal data is important and will help build trust and confidence going forward.

To understand what you need to do please read our Small Business guide at:-


There are separate rules around consent to use personal data for sending direct marketing by electronic methods, such as email and SMS.  If you use these direct marketing methods you must comply with the Unsolicited Communications Regulations, which are independent of the GDPR and data protection legislation, and more information on direct marketing can be found on the website