Back to Blog
GDPR – Why Consent Should Be Used As A Last Resort

GDPR – Why Consent Should Be Used As A Last Resort

March 2, 2018

If your inbox is anything like mine, it will be full of emails about GDPR – news updates, invitations to training events, webinars and more.  That’s not surprising given that GDPR represents one of the biggest shake-ups in the privacy and data protection laws since the internet.

Europe’s new data protection law, the General Data Protection Regulation is a complex piece of legislation. The text of the GDPR has changed many times so that some of the provisions that were originally proposed were dropped or changed substantially. If you’re wondering what actions you need to take to comply with the new laws by the end of May, which is when they come into effect, it’s important that you base your actions on well informed, current information.

However, if you’re a small business you probably don’t have the resources and the time to understand and deal with every minutiae in the regulations.

You may want to focus on some top-level risks. Working towards GDPR compliance, by focusing on the big picture, and addressing the most serious risks now, while committing to making other changes gradually. In my view this is a good approach. I’m not advocating that anyone should bury their head in the sand and ignore the new regulations. Just to bear in mind that complying with GDPR when you have a budget of a quarter of a million pounds to spend, (as many big businesses do have), looks very different when your budget and available time is tiny in comparison.

What GDPR Impacts

GDPR impacts the way you collect identity information, how long you store it, what processes you need to introduce to control its use, what you may do with the data, and what security arrangements you need to implement to protect that data against risks such as loss or disclosure following a cybersecurity attack, and more.

A good starting point is to make a list of the data you collect and think about how you use it, how long you store it, where you store it, and who has access to it. The purpose of this exercise is to document what you’re currently doing so you can decide what you need to do in order to better comply with GDPR. What controls and processes will you be able to put in place immediately, and what might you introduce in the future?

Consent Is Not Always Necessary

A common area of confusion is whether you must obtain consent to process people’s data. While in some cases consent may be the right way to go, it is not always the right basis on which to found your decisions.

For example, processing data for many marketing activities may be better based on “legitimate interest” (that is, you have a lawful business interest in processing the data). The term “legitimate interest” is not clearly defined but is likely to be interpreted widely. Legitimate interest or other lawful “bases” under the GDPR, apart from consent can sometimes be a much better basis to rely on than consent.

In our view consent should be used as a last resort, not a first resort.  Only rely on obtaining explicit consent from data subjects where none of the other bases are engaged.

Incorporate Prominent Unsubscribe Links

Some simple steps like incorporating a prominent unsubscribe link on all your marketing emails and not emailing people from no reply emails would go a long way to avoiding annoying recipients of your emails.

For example, one email sender I’ve been trying to unsubscribe from for months is They are sending us daily emails from a no reply mailbox. They provide no unsubscribe link. Instead you are expected to login to their site to manage your email alerts. Why should one have to do this just to unsubscribe? I have tried blocking their emails but somehow their daily emails continue to arrive into our inbox instead of being diverted to the junk folder.  (I’d love to know why this is happening)

They’re by no means the only ones. IELPE is another organisation that emails us whose emails I just can’t seem to divert to the junk box. They too send their emails from a no reply email address, and don’t have an unsubscribe link.

In many cases, even where an unsubscribe link is provided in emails, I would be worried about clicking on the link unless I know the company. After all, it’s basic security management to not click on links. So this is why it would be good practice to not only provide an unsubscribe link, but to also not send marketing emails from a no reply email address.

I mention these as examples of what not to do. In my view it’s important to avoid attracting unwanted attention, and potential fines.


So, there are practical steps that you could and should prioritise because they’re easy to implement, and matter a lot.

I appreciate that unless you’re familiar with the regulations it can be difficult to know how to see the wood for the trees. That is why we are introducing a low cost GDPR service designed to support small business clients to implement a GDPR solution appropriate to their needs.

If you want help to tackle GDPR in a pragmatic way, so you can know how to deal with marketing emails, and whether you need to seek consent from everyone, then our solution will be relevant to you. Just register your interest to receive more details as they become available.