Skip to content

Can My UK Business Share Personal Information Without the Consent of That Individual?

Table of Contents

Most business owners understand the need to store personal information on their company’s computer system safely. However, there is less online guidance concerning the potential act of sharing personal data outside your organisation. This is because the General Data Protection Regulation (GDPR) and Data Protection Act encourage businesses to avoid doing so outside specific circumstances. This article will explore situations where your UK business can share personal information with others without the content of that individual. This should allow your company to weigh the pros and cons of doing so in particular circumstances.

What is the GDPR?

The General Data Protection Regulation (UK GDPR) sets data protection rules for UK organisations. One of its primary purposes is to protect personal information and deter inappropriate use. Consequently, the starting point for UK businesses is that, generally, you should avoid sharing personal information sharing without the consent of the individual.

However, as with most rules, certain exceptions allow your business to do so. Within this article, we will explore when your company may wish to use an appropriate exemption. It is vital to ensure full compliance with the GDPR when sharing personal information, given the ability of the Information Commissioner’s Office (ICO) to fine businesses up to £17.5m for GDPR violations. 

Who are the ICO?

The Information Commissioner’s Office is an independent body that can impose significant financial penalties on UK businesses in breach of data protection law.  

The ICO will penalise UK businesses for sharing personal information in unsuitable circumstances without the individual’s prior consent. Part of the reasoning behind its ability to issue fines in the millions of pounds is to deter companies from ignoring GDPR rules.

Let us explore some reasons for wishing to share personal information with others and the appropriate GDPR-derived exemptions that allow this.

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

Why Share Personal Data With Others?

Suppose you run an advertising agency, and your employees are all subject to income tax and national insurance contributions. HMRC audits your business and seeks information regarding certain individual staff members (data subjects). Generally, payslips will contain information about their pay, home address, full name and national insurance number. Consider whether you must obtain consent from those individuals before disclosing that information regarding their payslips.

You do not need consent in this situation because your business can rely on the ‘law enforcement processing’ exemption. This exemption legally obligates your company to assist a law enforcement agency with its statutory duties.

This is similar to the Police investigating a crime and seeking to view CCTV footage relating to a staff member. Your company is bound to provide information relevant to their investigation absent that individual’s consent. The GDPR allows this because it is in the public interest to permit data sharing with law enforcement bodies.

Scenarios Outside Law Enforcement

The principal exemption outside of law enforcement processing involves the good performance of a contract.

Let us say that your business has 50 staff members and uses an online payroll management system. Your employment contracts with those staff members will legally bind you to pay them an appropriate monthly wage, most likely by bank transfer by a specific date.

Most online payroll systems require you to enter personal details into their system (such as full name, home address, email address and national insurance number). This information is necessary to ensure accurate and swift wage payments.

In this scenario, your business does not need to obtain prior consent from each of your staff members before wage payments. Instead, it can utilise the ‘performance of a contract’ exemption. This exemption relies on the fact that an individual has asked your business to carry out a task (in this case, to pay them a wage), and that involves sharing non-sensitive personal information.  

This is similar to a customer asking you to post an item to them and your company using Royal Mail. Providing a customer’s name and delivery address details to Royal Mail is technically an exchange of personal information. However, because the individual has asked for delivery as part of the purchase, this comes under the contract performance exemption.

Whilst the GDPR wants to guard against unnecessary and unreasonable transfers of personal data, it does not wish to prevent businesses from performing contractual tasks with individuals.

Key Takeaways

Fortunately, the GDPR takes a common sense view to businesses sharing personal information with others. If that information is reasonably provided to comply with the law or carry out the fair performance of a contract, the ICO usually allows this. It is only when a business provides personal information absent exemption or consent (for example, selling personal data to telemarketers) that companies get in trouble with the ICO. 

If you need help ensuring the safe disclosure of personal information outside your company, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.  

Frequently Asked Questions

Outside of law enforcement and contract performance reasoning, should my business obtain consent before data sharing?

The starting point is obtaining prior consent before sharing personal information. Your company should only consider doing otherwise where an appropriate GDPR exemption applies.

What if personal information is sensitive personal data?

You should always attempt to obtain prior consent from an individual where the information requested is sensitive personal data. Sensitive personal data includes information relating to sexual orientation, health conditions and political viewpoints.

Register for our free webinars

Protecting and Enforcing Your Brand

Online
Protect your brand from misuse and infringement. Register for our free webinar.
Register Now

Deal Structures 101: Understanding Equity, ASAs and Convertible Notes

Online
As a startup founder, understand your capital raising options. Register for our free webinar today.
Register Now

Common Legal Pitfalls for SaaS and Online Businesses

Online
Protect your online or SaaS business from common legal pitfalls. Register for our free webinar.
Register Now

GDPR Compliance Essentials for SMEs

Online
Ensure our business is compliant with GDPR and build trust with customers. Register for our free webinar.
Register Now
See more webinars >
Thomas Sutherland

Thomas Sutherland

Read all articles by Thomas

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards