Let's start a new Adventure...

Fill in your details below and let us know how we can help you. We’ll be in touch as fast as we can!

We take your privacy seriously and will never pass your details on to third parties. When you contact us we will store your personal details to contact you and to email you updates and offers from time to time in the future.

GDPR: Why do you hold personal data?


According to the General Data Protection Regulations (GDPR), there is six lawful basis for us to hold and process data.

GDPR is about altering perceptions & the culture around why we have data. We should only hold data we need, not just keep data for the sake of it.

Here is a summary of the six lawful basis’s under GDPR and the links to the Information Commissioner’s Office (IOC) framework for compliance to help answer any additional questions.

1. Consent

2. Contract

  • Not as much has changed here. You still have a contractual basis to hold and use data if you need it to fulfil a contractual obligation or to enter into a contract, e.g. providing a quote.
  • You do not need the agreement written down, but the information you use must be necessary, e.g. you need an address to deliver a product, but you don’t need the individual’s preference or interests. If you want the latter for targeted advertising, you would need to gain consent for this. The bank details of your employees are also necessary for you to provide the contractual agreement for payment.
  • For more details visit

3. Legal obligation

4. Vital Interests

5. Public Task

6. Legitimate Interests

  • For small businesses, the lawful basis of legitimate interests will be crucial. It is flexible, but it also complicated. As described by the IOC there is a three-part test to ascertain this legal basis;
    • Identify a legitimate interest
    • Show that the processing is necessary to achieve it
    • Balance it against the individual’s interests, rights and freedoms.
  • A good gauge for legitimate interest is would the recipient reasonably expect to receive the information/marketing? If you send to an existing client, they probably would. If you send to someone, who has enquired about your services they probably would. (Here you need to think about how long you hold the information as this will affect the ‘reasonable expectancy’ of the individual)
  • Please note legitimate interests is not a ‘get out of jail free’ card. It is about balancing your needs with the individuals and showing thought and consideration. For example, you can’t just bombard a client continually because they are a client. Your processing of their data should be used carefully and mindfully.

So what can you do practically to justify your lawful basis for holding and processing information under GDPR?

To do;

Look at the list of personal data you hold and process and think about why you keep this data. What lawful basis would it come under?

  • Check your consent procedures

    • Do you explain what they are signing up for?
    • Do you state what they might receive from you? E.g. consider wording like; Do you give consent to receive our newsletter, emailers and relevant offers and promotions?
    • Do you refer to the privacy policy? (We’re covering this on the next blog)
  • Have you set guidelines for how long you will keep their data?

    • Ask yourself what the length of time would still be appropriate for us to make contact?
    • This will depend on your industry and service and product.
    • Don’t forget to consider clients, prospects and employees separately.
  • Where you have stated, legitimate interests document your reasons why

    • Why is it acceptable for you to contact them?
    • Why is the information relevant to them?

Don’t forget to keep records of all your documentation and the processes you have gone through to arrive at your conclusions. Keep building evidence in your GDPR file.

Next time – How to write your privacy policy.

Share this post