Many articles in news media indicate that processing personal data is only allowed with the consent of the data subject. Anyone keeping an eye on the news around GDPR will have noticed.

After many GDPR project in different organizations, I tend to think that after implementing GDPR it might be the other way around: the question for consent is asked less than ever before. Why?

First, it is really a misunderstanding to think that consent is required for all kinds of processing of personal data. Consent is only one of the six legal bases defined in the GDPR. Unfortunately, ‘consent’ is listed first in the GDPR text, while it is in practice more of a ‘last resort’. If no other legal basis applies, you ask for consent …

And especially the legal basis ‘legitimate interest’ is very interesting for many organizations, because this is a judgment of the organization itself. For example, I recently attended a GDPR meeting for churches, where a national denomination stated that all processing of members data will be done under legitimate interest … “We will see how this will work out”.

What actually happens is that many organizations now make careful judgments about the legal basis for their processing. Where in the past consent was applied without much thought, this reconsideration will lead organizations to the position that ‘legitimate interest’ can also be defended. And that takes away the administrative burden, because the conditions for valid consent under the GDPR are strictly prescribed.

All in all a surprising side effect of the GDPR! Curious about your opinion!