Part 3: GDPR – valid reasons for processing data

In this series of blogs on GDPR, I’m helping small businesses understand what this change in our data protection law will mean for them and also share tips and advice I’ve found useful for my own business, Sayers Solutions – Marketing and Strategy for Small Businesses.

Catch up on the previous blogs here:

To recap, GDPR stands for General Data Protection Regulation and will replace our current data protection laws from 25th May 2018. It is the biggest change to our data protection laws for over 20 years and is being introduced to strengthen EU citizens’ privacy rights.

Valid reasons for processing data
In short, GDPR is being introduced to increase protection of personal data – any information that identifies a person. However, it also demands that you have a valid reason for processing that personal data in the first place.

The Information Commissioner’s Office website states, “You must have a valid lawful basis in order to process personal data”, and goes onto explain what the six lawful bases for processing personal data are:

  • Consent
  • Contract
  • Legal obligation
  • Vital interests
  • Public tasks
  • Legitimate interests

I’m not going to talk about each term here but I thoroughly recommend you check out the ICO website which offers an excellent ‘At a Glance’ section for each legal basis. Visit:

But let’s take a closer look at ‘Consent’. We’ve all heard about consent. You tick a box and give permission blah blah blah. But do you ever wonder what exactly you are giving permission for? With GDPR, organisations now need to make sure ‘permission’ is transparent and granular.

This means:

  • making your request for consent prominent and separate from your terms and conditions
  • asking people to positively opt in and not using pre-ticked boxes
  • using clear, plain language that is easy to understand
  • specifying why you want the data and what you will do with it
  • clearly naming your organisation and any third-party controllers who will be relying on the consent
  • reassuring individuals they can withdraw their consent
  • not making consent a precondition of a service
  • and offering separate sign-up to separate offerings (vague and blanket catch-all is not acceptable).

This information has been taken from the ICO website which provides a checklist to use when you are asking for consent. It’s a great resource for ensuring you are compliant. Check it out at:

Consent is an important legal basis for me. As a small business owner, I am keen to nurture the contacts and relationships I have made through keeping in touch by email. But what will GDPR mean for email marketing?

You should also be aware of the PECR and ePrivacy regulation. The Direct Marketing Association (DMA) explain how PECR/ePrivacy and DPA/GDPR work together for email marketing:

“Under PECR and ePrivacy you need consent or an existing customer relationship to send email marketing. If you want to make your emails more timely, targeted and tailored to the individual, you need data: Demographics, preference, purchases, browsing behaviour, location and device information. All this extra information can help make email more relevant and valuable but data protection regulations (DPA and GDPR) require you to have a legal basis for this. This is to ensure what you do is fair, transparent, not excessive, and to make sure you look after the data you collect, store and use. And for that you need consent or “legitimate interest.”


We’ve covered consent but what is meant by the lawful basis ‘legitimate interest’?

Legitimate interest could be interpreted as a catch-all basis for data processing. As explained by the ICO website, it “is the most flexible lawful basis for processing, but you cannot assume it will always be the most appropriate”.

It goes onto explain:

“It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.

If you choose to rely on legitimate interests, you are taking on extra responsibility for considering and protecting people’s rights and interests.”


As the most flexible of the lawful bases for processing data, legitimate interests could be seen as the general fall-back option. However, the introduction of GDPR means it is now relevant to flip and focus on the data subject. It is their rights that GDPR is helping us protect. If I think about my personal data and how I’d like it to be safe and also have the right to request erasure, then GDPR is certainly something to celebrate.

Look out for my next blog covering why you should think about how long you should keep data for.

Want more now?
Download the entire blog series in PDF here for free.

If you would like to discuss your GDPR compliance, or any other marketing activity, then please get in touch.  Sayers Solutions are well connected with experts on this matter and would love to help support your business.

If you want to arrange a conversation, we can chat over the phone or potentially skype. Give me a ring on 07790705223 during reasonable business hours (yours might be more generous than mine, so please don’t ring too early! #SchoolRunMum).

If you are in the Huddersfield/Wakefield/Leeds area let’s arrange to meet to discuss this or your marketing activity further.

Or email me through the website contact form

Like what you’ve seen?
If you’ve found this article useful and want to receive more carefully crafted advice and support tailored to small businesses please join our mailing list:

Look forward to hearing from you,

Merewyn Sayers
Sayers Solutions – Small Business Marketing and Strategy