When UK Businesses Can Share Personal Data Without Consent Under GDPR

byAlex Solo20 February 202610 min read

Contents

Why Consent Isn’t Always Required (And Why That’s A Good Thing)
When Is It Legal To Share Personal Data Without Consent Under UK GDPR?
Common Scenarios For Sharing Information Without Consent Under GDPR (UK SMEs)
How Do You Share Personal Data Without Consent And Still Stay GDPR-Compliant?
Common Mistakes UK Businesses Make When Sharing Data Without Consent
Key Takeaways

If you’re running a small business, you’ll eventually face a situation where you need to pass someone’s details to another person or organisation. It might be as simple as sending a customer’s address to your courier, or as sensitive as sharing an employee’s health information with an occupational health provider.

At that point, many business owners hit the same question: can we do this without asking for consent?

This is where a lot of confusion comes in around sharing information without consent under GDPR. The good news is that consent is not the only way to share personal data lawfully in the UK. In fact, in many business scenarios, consent is not the best option at all.

Below, we’ll break down when it’s legal to share personal data without consent under the UK GDPR and the Data Protection Act 2018, what “lawful bases” actually mean in practice, and what you should put in place so your business stays compliant from day one.

Under the UK GDPR, you can only process personal data (which includes collecting, storing, using, and sharing it) if you have a valid lawful basis.

Consent is one lawful basis, but it’s just one of several. In a business context, relying on consent can actually be risky because:

Consent must be freely given - and in power-imbalance situations (like employer/employee), it often isn’t truly “free”.
Consent must be specific and informed - vague statements like “we may share your data with third parties” won’t usually cut it.
People can withdraw consent - and you need a plan for what happens operationally if they do.

So, if you’ve been thinking “we’ll just add a consent tick box”, pause for a moment. The more practical approach is usually:

work out why you need to share the data,
choose the correct lawful basis, and
make sure you’re being transparent about it in your customer-facing and staff-facing documentation.

This is also why a properly drafted Privacy Policy matters - it’s not just a website formality, it’s part of your legal compliance framework.

To share personal data lawfully without consent, you still need a lawful basis under Article 6 of the UK GDPR (and potentially an additional condition if the data is “special category” data).

Here are the lawful bases that most commonly apply when UK small businesses are sharing personal data without consent.

If you need to share personal data to perform a contract with the individual, you may be able to rely on contractual necessity.

Example: A customer buys a product from your online shop. You share their name, address, and phone number with your delivery company so the item can be delivered. You don’t need consent for that - it’s part of fulfilling the contract.

You can share personal data without consent where it’s necessary to comply with a legal obligation.

Example: You share payroll and tax details with HMRC, or provide employee information needed to meet statutory reporting requirements.

Tip: “Required by law” doesn’t mean “helpful” or “standard practice”. You should be able to identify the obligation (even if you don’t quote it chapter-and-verse).

This is a big one for many businesses. You can share personal data where it’s necessary for your legitimate interests (or those of a third party), provided those interests aren’t overridden by the individual’s rights and freedoms.

Example: Sharing limited customer information with your fraud-prevention provider to reduce payment fraud.

In practice, you should carry out a “balancing test” (often called a Legitimate Interests Assessment, or LIA) to document why your interests justify the sharing.

This applies where sharing is necessary to protect someone’s life. It’s uncommon in day-to-day small business operations, but it can apply in emergencies.

Most small businesses won’t rely on this basis unless they are delivering a public function under law or a contract with a public body.

What If The Data Is “Special Category” Data?

If you’re sharing special category data (for example: health information, biometric data, race/ethnicity, religious beliefs), you need:

a lawful basis under Article 6, and
an additional condition under Article 9 (for example, where it’s necessary for employment/social security/social protection law, for health and safety or occupational medicine purposes, for establishing or defending legal claims, for substantial public interest in specific circumstances, or explicit consent in some cases).

This is where businesses can get caught out - especially when handling employee medical information, equality monitoring, or workplace adjustments.

Let’s make this practical. Here are common situations where UK businesses share personal data, and what you should be thinking about.

This usually includes:

couriers and fulfilment centres
CRM platforms and email marketing tools
payment processors
booking systems
cloud storage providers

Often, you’re not “asking consent” here - you’re relying on contract necessity or legitimate interests, and managing the relationship contractually through a Data Processing Agreement (where the supplier is acting as your processor).

If you store or share personal data via cloud tools, it’s also worth checking whether your setup is compliant - for example, with access controls, retention practices, and data location considerations. This is a common issue when businesses scale quickly and adopt new tools without a privacy review.

Even small businesses often share staff data with:

payroll providers
pension providers
accountants
HR software tools
occupational health providers (where applicable)

In many of these cases, you’ll rely on legal obligation (e.g. payroll/tax), contract necessity (to administer employment arrangements), or legitimate interests.

From a risk perspective, employee data sharing is also tied closely to having clear internal rules around device use, access, and acceptable behaviour. For example, an Acceptable Use Policy can help you set expectations around how staff handle business systems and information.

If a customer dispute escalates, or you’re chasing overdue invoices, you might need to share personal data with:

a debt recovery provider
your solicitor
your insurer
courts/tribunals (where relevant)

This is often lawful without consent under legitimate interests (recovering a debt, enforcing legal rights) and sometimes legal obligation (where formal legal processes require disclosure).

The key is to share only what’s necessary (data minimisation), keep it secure, and record what you shared and why.

This is where things can become more sensitive.

For example, if you want to share customer lists with a partner business, or transfer data as part of a business sale or restructure, you need to be very careful about:

whether you’re a joint controller arrangement,
what you told people originally,
whether the new purpose is compatible with the original collection purpose, and
how individuals can exercise their rights.

In these situations, a Data Sharing Agreement can be the difference between “this is well-governed and defensible” and “we’ve just created a compliance headache”.

If you use CCTV or monitoring tools, you may end up sharing footage or logs with police, insurers, landlords, or legal advisers.

Workplace surveillance is a high-risk area because it’s easy to collect too much data (or keep it too long) without meaning to. If you’re considering cameras, it’s worth understanding the rules on CCTV in the workplace and making sure your policies match what you actually do in practice.

Having a lawful basis is only one part of GDPR compliance. You also need to follow the wider data protection principles (like transparency, minimisation, accuracy, storage limitation, and security).

Here’s a practical checklist you can use before your business shares personal data without consent.

1) Be Clear On Roles: Controller vs Processor

Ask yourself:

Are you deciding why and how the data is used? If yes, you’re likely the controller.
Is the other party using the data only on your instructions? If yes, they’re likely a processor.

This matters because controllers need the lawful basis, and processors need proper contractual terms (and can’t just “do what they want” with the data).

For most small businesses, the most common lawful bases for sharing are:

contract (to deliver your goods/services)
legal obligation (to comply with law)
legitimate interests (for reasonable business needs)

If you’re relying on legitimate interests, consider documenting a short LIA that covers:

your purpose (what you’re trying to achieve)
necessity (why sharing is needed)
balancing (why the individual’s privacy rights don’t override your interest)

Even when you don’t need consent, you usually still need to be transparent.

That typically means your privacy information should explain:

what data you share
who you share it with (or categories of recipients)
why you share it (purposes and lawful bases)
how long you keep it
how people can exercise their rights

This is why keeping your Privacy Policy up to date is a real operational task, not a “set and forget” document.

A simple way to reduce risk is to share the smallest amount of information required for the task.

Example: If a delivery partner only needs name, address, and phone number, don’t also send date of birth, notes about the customer, or historic order data.

5) Put A Written Agreement In Place

If you’re sharing personal data with an external provider, you may need a written contract with privacy clauses. Depending on the relationship, that could be:

a Data Processing Agreement (controller to processor), or
a Data Sharing Agreement (controller to controller, or more complex arrangements).

These agreements usually cover things like security standards, breach notification, confidentiality, sub-processors, international transfers, and what happens when the relationship ends.

6) Have A Plan For Rights Requests

If someone asks “what information do you hold about me, and who have you shared it with?”, you may need to respond under UK GDPR access rights.

This is where having a clear internal process helps, especially if you have multiple systems and suppliers involved. A practical workflow for subject access requests can save you a lot of time (and reduce the risk of missing deadlines).

Most GDPR problems for small businesses aren’t caused by bad intentions - they happen because day-to-day operations move quickly, and people default to “this seems normal”.

Here are some common mistakes to watch out for.

This leads to unnecessary friction in your processes (and sometimes poor decision-making, like trying to force consent where it isn’t appropriate).

Instead, focus on whether you have a lawful basis and whether you’ve met the GDPR principles (especially transparency and minimisation).

Sharing extra personal data “just in case it’s useful” is one of the easiest ways to breach GDPR principles.

Get into the habit of asking: what’s the minimum the recipient needs to do the job?

Not Knowing Who You’ve Shared Data With

If you can’t track who receives personal data (and why), it becomes much harder to:

handle subject access requests,
investigate a suspected data breach, or
respond to regulator questions.

Even a simple internal “data sharing register” can help you stay organised.

Skipping Contracts With Processors

If a supplier is processing data on your behalf (like a marketing platform, booking tool, or IT provider), and you don’t have the right contractual protections in place, your business can be exposed if something goes wrong.

This is one reason many businesses choose to put a proper GDPR framework in place early, such as a tailored GDPR Package.

Forgetting That “Personal Data” Is Broader Than You Think

Personal data isn’t just “sensitive” information. It can include:

names and email addresses
phone numbers
customer IDs
IP addresses and device identifiers (in many contexts)
work emails if they identify an individual

When in doubt, assume it’s personal data and treat it accordingly.

Key Takeaways

Consent is not the default under UK GDPR - in many business situations, it’s more appropriate to rely on contract necessity, legal obligation, or legitimate interests.
If you’re focused on sharing information without consent under GDPR, start with the question: what is our lawful basis for sharing, and can we justify it?
Even when you don’t need consent, you usually still need transparency - your privacy information should explain what you share, who you share it with, and why.
Make sure you have the right written agreements in place (such as a Data Processing Agreement or Data Sharing Agreement) when third parties handle or receive personal data.
Follow the GDPR principles: share only what you need, keep it secure, and keep records so you can respond to complaints or rights requests.
If you’re sharing special category data (like health info), the compliance bar is higher - it’s worth getting tailored advice before you proceed.

If you’d like help reviewing how your business shares personal data (or putting the right documents and policies in place), you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.

Alex Solo

Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.

Need legal help?

Get in touch with our team

Tell us what you need and we'll come back with a fixed-fee quote - no obligation, no surprises.

Proceeding confirms you agree to our Privacy Policy

Need support?

Need help with your business legals?

Speak with Sprintlaw to get practical legal support and fixed-fee options tailored to your business.

Get Started Book A Call