Blog

First of all, the GDPR recognizes multiple options for the legal basis of data processing, meaning, you are only allowed to process personal data based on one of the explicitly mentioned and predetermined bases. You must choose one legal basis per processing purpose — but different purposes can rely on different bases. As an example, an address could be used for billing and for package delivery as well.

Before you do anything with personal data, you have to decide the legal basis in advance and consider the consequences of your choice. Without further ado, let’s see the difference between consent and legitimate interest as legal bases.

Consent

Seems straightforward — we’ve all done it. But there are some things worth knowing about it. As a best practice (or we could say better to be safe than sorry way) requires an explicit and provable way of collecting consent in advance. You have to manage these records, and if someone wants their data deleted, generally you must comply and confirm the deletion.

(There are always exceptions like legal obligation or exercise of legal claims which would prevent deletion for a time and it just prevent it from using for a specific purpose. Imagine, someone steels from a shop and then asks to delete the camera footage. It makes perfect sense to keep the recording as evidence for the legal proceedings. But these are rather special cases as the example also suggests.)

Consent also has to be freely given, which complicates things in certain cases. For example, in employment matters, you can often argue whether the person really had a choice. Also, can you ensure that your electronic backups can be handled in a way that allows you to remove the data in a practical manner?

Legitimate Interest

This is a potentially much better legal basis, as the person concerned has no automatic right to have their data deleted, which can be much simpler from an operational point of view — think of deletion from backups or maintaining the integrity of your records. Sounds good?

There are still important things to consider: the GDPR prohibits processing of personal data by default (you need one of the 6 legal bases to do so), so you must prove that you need this data for your business, that the processing aligns with your actual business needs, and that it does not override the rights of the individual.

(Although, the data subject still have right to object and ask for deletion, in case, you are able demonstrate compelling legitimate grounds that override the individual’s rights, hence you may keep the data.)

What do you need to do?

You have to assess the aforementioned factors and additional ones… but how? The magic term is the Legitimate Interest Assessment (LIA). Yes, it’s true it’s requiring more documentation, but it provides significant advantages.

UK’s ICO has a great explanation page to understand the basics the LIA: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/legitimate-interests/how-do-we-apply-legitimate-interests-in-practice/

Let’s see how this would look in a general case (note: each EU country may have slight divergences, as the GDPR — as the name suggests — is the General Data Protection Regulation, and member states are allowed to set additional rules).

Let’s use the examples from the previous post to better understand how it works:

• a small yoga studio offering online classes,
• a local animal rescue NGO coordinating volunteers,
• a neighborhood bakery running a simple loyalty program.

Example 1: Yoga Studio

In the case of the yoga studio newsletter, consent was the right choice — but in certain cases, you may utilize legitimate interest with the same email addresses. Imagine your yoga studio is in a business relationship with the local sports store. You support each other: the sports store sends people your way, and you recommend the sports store for yoga mats. Now the sports store has a great New Year’s deal on yoga mats, so you send this offer to the people who signed up for your newsletter. This can be based on legitimate interest, but I would always recommend being upfront with people who sign up for your newsletter if you have such intentions, as transparency is one of the cornerstones of data processing.

Please note that many EU countries require prior consent for marketing emails. Recent ruling further clarified the rules around it: https://www.lexology.com/library/detail.aspx?g=bbdc6fd3-9b60-47d9-81ca-1b2bda4d9166

Example 2: Animal Shelter Volunteers

If we look at the animal shelter volunteer list, the picture changes. Consent looks good at first glance, and you may have seen similar cases where someone asked for your consent. But let’s say you want to keep records of when a volunteer worked or who handled certain tasks based on their schedule. If you relied on consent, you would be in trouble if the volunteer asks to withdrew it — you would have to delete these records as well. We would argue that it is a legitimate business interest to hold onto this information, right? So if there is no other legal basis available, legitimate interest would be more appropriate and logical here instead of consent.

Example 3: Neighborhood Bakery

In our last example — the neighborhood bakery with a simple loyalty program — the answer is simply: it depends. It’s the favorite answer of compliance professionals, as the devil is in the details, and the correct response or alternatives can only be given when the full picture is clear. To determine the right legal basis, we first need to understand how, what, and why data is being processed. Is it a simple paper system where a stamp is added to each paper card and no name or other identifier is collected? Then the GDPR does not apply, and no action is needed at all.

But what if there is an app that requires registration or tracks users in a way that makes them easily identifiable (e.g., via location data)? That’s already a much more complicated situation.

If you want to know what to do in similar cases — or in a completely different one — please contact us and let’s see how we can help.

What is a Legal Basis under GDPR?

A legal basis is the foundation that allows you to process personal data under the GDPR. Every organization—whether a small business, a freelancer, or an NGO—must be able to point to one specific legal basis for each purpose of processing. Without a valid legal basis, the processing is simply unlawful, no matter how harmless it may seem.

The challenge is that not all legal bases are created equal. Some are stable and practical; others are fragile and easy to get wrong. Consent is the one most people know, but it is also the one most often misused. To understand why, it helps to look at how consent works in the real world, through the eyes of three very typical organizations:

• a small yoga studio offering online classes,

• a local animal‑rescue NGO coordinating volunteers,

• and a neighborhood bakery running a simple loyalty program.

Why Consent is Often Misused

The yoga studio is the classic example of where consent works well. They send a weekly newsletter with class updates, wellness tips, and occasional promotions. This is a genuinely optional service. People can sign up if they want, ignore it if they don’t, and unsubscribe at any time without affecting their relationship with the studio. Consent here is meaningful: the user has a real choice, the purpose is clear, and withdrawal doesn’t break anything. A simple opt‑in checkbox is enough, and the studio can easily explain what the emails contain. This is what GDPR‑compliant consent looks like in practice—clean, transparent, and low‑risk.

Things become more complicated when we look at the animal‑rescue NGO. They collect volunteer information—names, phone numbers, availability, emergency contacts—so they can coordinate shifts and ensure safety. Many NGOs assume they need consent for this, so they add a checkbox to their volunteer form. But this is where consent becomes a liability. If a volunteer withdraws consent, the NGO would have to stop using their information immediately, even if that means they can no longer contact them during an emergency or schedule them for an event. The NGO needs this information to function. Consent is the wrong legal basis here because the processing is necessary for the volunteer relationship. Withdrawal would break the workflow and undermine the organization’s ability to operate safely. The GDPR is clear: if the processing is necessary, consent is not appropriate.

The bakery faces a similar issue. They run a loyalty program where customers earn a free pastry after ten purchases. They collect names and email addresses to track points and send occasional updates. Many small businesses default to consent here too, but the same problem appears: if a customer withdraws consent, the bakery would have to delete their data and stop tracking their points. The loyalty program itself depends on the data. Consent is too unstable for something that is part of the service. The bakery needs a legal basis that reflects the fact that the processing is necessary to deliver what the customer signed up for.

Why Legitimate Interest is a Better Alternative

These examples show why consent is so demanding. The GDPR sets a high bar: consent must be freely given, specific, informed, and unambiguous. For the yoga studio’s newsletter, this is manageable. But for the NGO and the bakery, meeting these requirements becomes unrealistic. “Freely given” is difficult when there is any imbalance of power, such as between an NGO and its volunteers. “Specific” means you cannot bundle multiple purposes together, which quickly becomes messy for organizations with several data uses. “Informed” requires clear explanations that many small organizations struggle to write. And “withdrawal at any time” is the biggest challenge: withdrawal must be as easy as giving consent, and it must stop the processing immediately. For the NGO and the bakery, that would make their services unworkable.

Consent also requires ongoing maintenance. You must record who consented, when, how, and for what purpose. You must track withdrawals. You must refresh consent when your purposes change. You must ensure that your consent mechanism remains compliant over time. For many small organization, this becomes a significant administrative burden. And because consent is so easy to invalidate, it becomes a weak foundation for any processing that your organization depends on.

This is why legitimate interest often works better for small organizations. It allows processing when it is necessary for a legitimate purpose and does not override the individual’s rights and freedoms. It is not a loophole or a shortcut; it requires a structured balancing exercise and clear documentation. But when used correctly, it offers a more stable and realistic foundation for everyday processing.

For the NGO, legitimate interest is a natural fit. Coordinating volunteers, ensuring safety, and managing events are all legitimate purposes. Volunteers reasonably expect their information to be used this way. Withdrawal would not make sense, but individuals still retain the right to object if something feels inappropriate. Legitimate interest respects both the organizations’ needs and the individual’s rights.

For the bakery, legitimate interest also works well. Running a loyalty program is a legitimate business purpose, and customers expect their data to be used to track points and send relevant updates. The bakery can explain this clearly without relying on a consent mechanism that could undermine the program. Customers still have rights, but the bakery is not forced into operational chaos if someone changes their mind.

Even the yoga studio can benefit from legitimate interest for certain activities. While the newsletter should rely on consent, internal analytics, fraud prevention, or basic service improvements often fit better under legitimate interest. The key is choosing the legal basis that fits the purpose, not the one that feels safest.

Consent is powerful when used correctly, but it is not the default. It is appropriate only when the processing is genuinely optional and withdrawal does not break the service. The yoga studio’s newsletter shows how well it can work. The NGO’s volunteer management and the bakery’s loyalty program show how quickly it becomes unstable when the processing is necessary.

How to Transition to Legitimate Interest

Legitimate interest often provides a more realistic and robust foundation for everyday processing. It aligns with user expectations, avoids the fragility of withdrawal, and supports the operational needs of small organizations—while still protecting individuals’ rights. To use legitimate interest properly, you must conduct a Legitimate Interest Assessment (LIA), a structured way to document your purpose, necessity, and balancing test.

The next article will walk through how to create an LIA in a clear, practical way that fits the daily reality of a small business or NGO. If you need personalized help, just get in touch.

The “Wild West” of Artificial Intelligence has officially packed up its wagons and left town. If you look back to the early 2020s, it felt like a digital gold rush—a chaotic, thrilling era where the only limit to what you could do with a prompt was your own imagination. But as we navigate the landscape of 2026, the atmosphere has fundamentally changed.

For small business owners and NGO directors, the conversation has shifted from a wide-eyed “Look what this can do!” to a much more grounded, and perhaps more urgent, “How do we use this without getting a formal knock on the door from a Data Protection Authority?”

We’ve reached a tipping point where innovation and regulation are finally shaking hands, but that handshake can feel a bit like a squeeze if you aren’t prepared. With the EU AI Act now reaching full enforcement as of August 2026, and the GDPR having matured into a sophisticated enforcement machine, ‘good enough’ compliance is now a major business liability. For a consulting firm working in the privacy space, we see the same pattern every day: organizations that want to be at the cutting edge but are terrified of falling off the cliff. This isn’t just about avoiding fines anymore; it’s about maintaining the trust of your clients and donors in a world where data is the most volatile asset you own.

To understand where we are, we first have to demystify the regulatory giant in the room: the EU AI Act. For years, people talked about it as a distant storm on the horizon, but today, it is the weather we live in. The mistake many SMBs make is thinking the AI Act replaces the GDPR. In reality, they are two sides of the same coin. Think of the GDPR as the protector of the person—it cares about whose data you have and how you got it. The AI Act, conversely, is the protector of the process—it cares about what the machine is doing with that data and whether it’s behaving ethically.

Most of the tools you use every day—the chat bots on your website, the AI-driven copy generators, the spam filters in your inbox—fall into what the Act calls “Minimal Risk.” But “minimal” does not mean “exempt.” By mid-2026, the transparency requirements are absolute. If a human is interacting with an AI, they must be told. “Stealth AI” is no longer a clever way to appear more “human” to your customers; it is a legal liability. The moment you cross the line into “High Risk” territory—using AI to screen CVs for a job opening, monitoring your employees’ performance, or using algorithms to decide who gets a discount or a service—you aren’t just a user of technology; you are a “deployer” of high-risk systems. This requires a level of documentation and human oversight that most small organizations simply aren’t equipped for yet.

However, the most immediate danger to your organization likely isn’t the regulation itself, but what we call “Shadow AI.” This is the phenomenon of the well-meaning, highly efficient employee who wants to save five hours of work a week. They take a sensitive client contract, a list of vulnerable donors, or a transcript of a confidential meeting and paste it into a free, public version of a popular AI tool to get a summary or a draft. In that single click, your data has entered a “black hole.”

In public-facing AI models, the information you provide is often absorbed into the collective “brain” of the machine to train future versions. We’ve already seen instances in 2026 where proprietary business strategies or private donor details were inadvertently surfaced as “suggestions” to other users on the other side of the world. For an SMB, that’s a lost competitive advantage. For an NGO, it’s a catastrophic breach of trust with the very people they exist to protect.

The solution isn’t to ban AI—that’s like banning the internet in the 90s. The solution is to move toward private, enterprise-grade environments. Most modern CRMs and project management tools now offer “Private Instances” where your data stays within your specific “tenant.” It doesn’t leave your walls to train the global model. If you haven’t audited your software settings recently, you’re likely still operating on default settings that favor the AI provider’s data-hungry training needs rather than your privacy. One of the most effective things you can do today is to hunt down every “Data Training” toggle in your tech stack and flip it to OFF.

Beyond the technical settings, you need a cultural shift in how your team handles data. We recommend a “Coffee Shop” rule: If you wouldn’t read a document out loud in a busy coffee shop, you shouldn’t paste it into a public AI tool. This is where anonymization becomes your best friend. In the GDPR world, if you strip away the names, addresses, and identifiers before the data hits the AI, your risk profile drops to almost zero. It takes an extra minute to change “John Doe from London” to “Client A,” but that minute could save you from a multi-thousand-euro fine.

Another reality of 2026 is the death of the “black box.” Under Article 22 of the GDPR, and reinforced by the AI Act, individuals have a right to an explanation. If your AI helps you decide who gets a loan, which job candidate gets an interview, or which beneficiary receives aid, you must be able to explain the “why.” If your system is so complex that you can’t trace the logic of its decisions, you are effectively flying a plane without an instrument panel. You must keep a “human in the loop.” AI should be a co-pilot that offers suggestions, but the final, legal, and ethical responsibility for every decision must land on the desk of a human being.

For NGOs, this is even more critical. Non-profits often handle what the law calls “Special Categories” of data—health records, political affiliations, or religious beliefs. In the eyes of a regulator, mishandling this data is a much more serious offense than a retail store losing an email list. For an NGO, privacy isn’t just a compliance checkbox; it’s an extension of the “Do No Harm” principle. When you use AI to translate documents for a refugee or to predict where aid will be needed next, you are handling the digital lives of people who are already at risk. Your AI strategy must reflect that.

So, where does this leave you? It’s easy to feel like the walls are closing in, but there is a massive silver lining here. In 2026, privacy is no longer a boring back-office concern; it is a brand differentiator. We are seeing a “flight to quality” among consumers and donors. People are tired of feeling like their data is being harvested by invisible machines. When an SMB can say to a client, “We use AI to give you faster service, but we use a secure, private instance that guarantees your data never leaves our sight,” that business wins. When an NGO can demonstrate to a donor that their gift and their personal data are protected by ironclad “Privacy-by-Design” principles, that NGO builds a level of loyalty that no marketing campaign can buy.

The era of experimentation was fun, but the era of accountability is where the real value is built. You don’t need a million-euro legal budget to get this right; you just need a clear policy, the right tool settings, and a commitment to transparency. Compliance isn’t the hurdle that stops you from running the race; it’s the track that makes the race possible in the first place.

The landscape is moving fast, and local laws—like the UK’s expected 2026 AI legislation—are continuing to align with these high standards. This isn’t a trend that will fade; it’s the new baseline for doing business in the 21st century.