GDPR Myth Busting – We need the data subjects permission to process their data

No, you don’t – you must have one of six lawful reasons for processing data set out in the regulations, but not necessarily Consent. This includes:

  • where you are carrying out a Contract with the data subject or are taking steps to enter into a contract, a law firm carrying out conveyancing, or an insurance company getting information to prepare a quote.
  • where a law specifically requires the processing to be done, such as money laundering checks or employee right to work checks.
  • for your own or a third parties, legitimate interests. This is best where you use people’s data in ways they would reasonably expect and has little impact on privacy. For example, it is a legitimate interest for an internet shopping site to have contact details and a delivery address for shoppers.

Find out more