What is a Legal Basis under GDPR?
A legal basis is the foundation that allows you to process personal data under the GDPR. Every organization—whether a small business, a freelancer, or an NGO—must be able to point to one specific legal basis for each purpose of processing. Without a valid legal basis, the processing is simply unlawful, no matter how harmless it may seem.
The challenge is that not all legal bases are created equal. Some are stable and practical; others are fragile and easy to get wrong. Consent is the one most people know, but it is also the one most often misused. To understand why, it helps to look at how consent works in the real world, through the eyes of three very typical organizations:
- a small yoga studio offering online classes,
- a local animal‑rescue NGO coordinating volunteers,
- and a neighborhood bakery running a simple loyalty program.
Why Consent is Often Misused
The yoga studio is the classic example of where consent works well. They send a weekly newsletter with class updates, wellness tips, and occasional promotions. This is a genuinely optional service. People can sign up if they want, ignore it if they don’t, and unsubscribe at any time without affecting their relationship with the studio. Consent here is meaningful: the user has a real choice, the purpose is clear, and withdrawal doesn’t break anything. A simple opt‑in checkbox is enough, and the studio can easily explain what the emails contain. This is what GDPR‑compliant consent looks like in practice—clean, transparent, and low‑risk.
Things become more complicated when we look at the animal‑rescue NGO. They collect volunteer information—names, phone numbers, availability, emergency contacts—so they can coordinate shifts and ensure safety. Many NGOs assume they need consent for this, so they add a checkbox to their volunteer form. But this is where consent becomes a liability. If a volunteer withdraws consent, the NGO would have to stop using their information immediately, even if that means they can no longer contact them during an emergency or schedule them for an event. The NGO needs this information to function. Consent is the wrong legal basis here because the processing is necessary for the volunteer relationship. Withdrawal would break the workflow and undermine the organization’s ability to operate safely. The GDPR is clear: if the processing is necessary, consent is not appropriate.
The bakery faces a similar issue. They run a loyalty program where customers earn a free pastry after ten purchases. They collect names and email addresses to track points and send occasional updates. Many small businesses default to consent here too, but the same problem appears: if a customer withdraws consent, the bakery would have to delete their data and stop tracking their points. The loyalty program itself depends on the data. Consent is too unstable for something that is part of the service. The bakery needs a legal basis that reflects the fact that the processing is necessary to deliver what the customer signed up for.
Why Legitimate Interest is a Better Alternative
These examples show why consent is so demanding. The GDPR sets a high bar: consent must be freely given, specific, informed, and unambiguous. For the yoga studio’s newsletter, this is manageable. But for the NGO and the bakery, meeting these requirements becomes unrealistic. “Freely given” is difficult when there is any imbalance of power, such as between an NGO and its volunteers. “Specific” means you cannot bundle multiple purposes together, which quickly becomes messy for organizations with several data uses. “Informed” requires clear explanations that many small organizations struggle to write. And “withdrawal at any time” is the biggest challenge: withdrawal must be as easy as giving consent, and it must stop the processing immediately. For the NGO and the bakery, that would make their services unworkable.
Consent also requires ongoing maintenance. You must record who consented, when, how, and for what purpose. You must track withdrawals. You must refresh consent when your purposes change. You must ensure that your consent mechanism remains compliant over time. For many small organization, this becomes a significant administrative burden. And because consent is so easy to invalidate, it becomes a weak foundation for any processing that your organization depends on.
This is why legitimate interest often works better for small organizations. It allows processing when it is necessary for a legitimate purpose and does not override the individual’s rights and freedoms. It is not a loophole or a shortcut; it requires a structured balancing exercise and clear documentation. But when used correctly, it offers a more stable and realistic foundation for everyday processing.
For the NGO, legitimate interest is a natural fit. Coordinating volunteers, ensuring safety, and managing events are all legitimate purposes. Volunteers reasonably expect their information to be used this way. Withdrawal would not make sense, but individuals still retain the right to object if something feels inappropriate. Legitimate interest respects both the organizations’ needs and the individual’s rights.
For the bakery, legitimate interest also works well. Running a loyalty program is a legitimate business purpose, and customers expect their data to be used to track points and send relevant updates. The bakery can explain this clearly without relying on a consent mechanism that could undermine the program. Customers still have rights, but the bakery is not forced into operational chaos if someone changes their mind.
Even the yoga studio can benefit from legitimate interest for certain activities. While the newsletter should rely on consent, internal analytics, fraud prevention, or basic service improvements often fit better under legitimate interest. The key is choosing the legal basis that fits the purpose, not the one that feels safest.
Consent is powerful when used correctly, but it is not the default. It is appropriate only when the processing is genuinely optional and withdrawal does not break the service. The yoga studio’s newsletter shows how well it can work. The NGO’s volunteer management and the bakery’s loyalty program show how quickly it becomes unstable when the processing is necessary.
How to Transition to Legitimate Interest
Legitimate interest often provides a more realistic and robust foundation for everyday processing. It aligns with user expectations, avoids the fragility of withdrawal, and supports the operational needs of small organizations—while still protecting individuals’ rights. To use legitimate interest properly, you must conduct a Legitimate Interest Assessment (LIA), a structured way to document your purpose, necessity, and balancing test.
The next article will walk through how to create an LIA in a clear, practical way that fits the daily reality of a small business or NGO. If you need personalized help, just get in touch.