Companies need a justifiable reason to process your data, and under the European General Data Protection Regulation (GDPR), there are five acceptable justifications.
1. Consent. Consent isn’t strictly necessary, because there are other lawful bases for processing data, as we’ll see. But consent is the most direct approach and so regularly used by companies. Consent must be freely given by you, and it must be clear and specific to a particular use of your data. There can no longer be automatic consent, such as pre-ticked boxes or opting out of consent being the default. Like the other lawful bases, consent cannot be given retrospectively.
2. Contract. Data must sometimes be processed in order for the company to deliver on a contract. Without doing so, the company would not be able to go about serving you as a customer in the way you expect them to do so.
3. Legitimate interest. If you would reasonably expect the company to process your data, for example where the reason you’ve approached the company is for them to process your data, then there is legitimate interest in them processing your data. The company will nevertheless perform a ‘balancing test’, to check whether the processing of your data would do more harm than good, and whether it is absolutely necessary to process your data.
4. Vital interest. In the relatively rare event that data processing would be necessary to save a life or in some other extreme emergency scenario, a company is permitted to process data.
5. Public interest. Where carried out by the government or a government-related entity, data processing is permitted if it is required to deliver a service in the interest of the public.
To the pound 