Sharing Personal Information Without Consent: UK GDPR Rules For Businesses

If you run a small business, you’re probably handling personal information every day - customer emails, employee records, CCTV footage, delivery details, even messages in your inbox.

And at some point, you’ll face the tricky question: can we share personal information without consent in the UK?

This is exactly where many businesses get caught out. Under the UK GDPR and the Data Protection Act 2018, consent is only one lawful basis for processing (including sharing) personal data - and it’s often not the best one for businesses to rely on.

In this guide, we’ll walk through what “sharing personal information without consent UK” really means in practice, when it can be lawful, and what practical steps you should take to reduce your risk.

What Counts As “Sharing Personal Information” In A Business Context?

Before you can decide whether you need consent, you need to know what the law considers “personal data” and what counts as “sharing”.

What Is Personal Data?

Personal data is any information that identifies someone, or could identify them (directly or indirectly). For small businesses, common examples include:

• Customer names, email addresses, phone numbers, and postal addresses
• Employee payroll details, attendance records, performance notes, and HR files
• IP addresses, device identifiers, and website account logs
• CCTV footage where individuals are identifiable
• Call recordings or recorded meetings (if individuals can be identified)

Some personal data is special category data (more sensitive), such as health information, biometric data, or information about race or religion. This category has stricter rules.

What Does “Sharing” Mean?

Sharing doesn’t just mean “selling a list” (though that’s an obvious one). It can include:

• Sending personal details to an external supplier (eg a payroll provider)
• Passing customer information to a delivery company
• Providing employee data to an insurer or benefits provider
• Giving contact details to another business “partner”
• Publishing a testimonial with identifiable information
• Disclosing information in a dispute or complaint process

Even internal sharing can be an issue - for example, giving a manager access to employee health details when they don’t need it.

Do You Need Consent To Share Personal Information In The UK?

Not always. This surprises a lot of business owners, but it’s an important point.

Under UK GDPR, you generally need a lawful basis to process personal data. “Processing” includes collecting, storing, using, and sharing it. Consent is one lawful basis - but there are others.

The 6 Lawful Bases (And Why They Matter When Sharing Data)

For most small businesses, sharing personal information without consent may be lawful if it’s covered by one of these lawful bases:

• Contract: sharing is genuinely necessary to provide the goods/services the person requested (not just convenient).
• Legal obligation: sharing is required to comply with a legal duty that applies to you.
• Legitimate interests: you have a genuine business reason, and it doesn’t override the individual’s rights.
• Vital interests: rare for businesses - usually life-or-death situations.
• Public task: generally public authorities, not typical SMEs.
• Consent: the person gave clear permission.

The practical takeaway: the question isn’t only “do we have consent?” It’s “what is our lawful basis for sharing this data?”

Why Relying On Consent Can Backfire For Businesses

Consent sounds simple, but it’s high maintenance. To be valid, it must be:

• Freely given (no pressure or imbalance of power)
• Specific and informed (not vague)
• Unambiguous (clear opt-in)
• Easy to withdraw

In an employment context, consent is often unreliable because employees may feel they can’t say no. If you’re dealing with employee data, it’s usually safer to rely on contract, legal obligation, or legitimate interests - and have strong documentation and policies in place, like an Acceptable Use Policy where relevant to workplace systems and communications.

When Sharing Personal Information Without Consent Can Be Lawful (Common Business Scenarios)

Let’s make this practical. Here are situations where sharing personal information without consent UK businesses can often do lawfully - as long as you handle it correctly.

1) Sharing Customer Details To Fulfil An Order (Contract)

If a customer orders something from you, you may need to share their name, address, and phone number with:

• couriers and delivery providers
• payment processors
• software platforms used to manage orders

This can often be justified as necessary for a contract (for example, you can’t deliver without those details). You still need to be transparent about it - typically through a Privacy Policy.

2) Sharing Data With Accountants, Bookkeepers, Or Payroll Providers (Contract / Legal Obligation)

If you use external professionals, you might share:

• employee payroll information
• tax-related records
• customer invoice details

This can often be supported by contract necessity and/or a legal obligation (for example, where specific record-keeping or reporting duties apply). The key is making sure you have the right agreements in place with providers who process data on your behalf (often called “processors”).

3) Sharing Employee Information Internally For HR Management (Legitimate Interests / Legal Obligation)

Managers often need some employee information to do their job. But you should limit it to what they actually need.

For example:

• sharing performance notes with HR and a relevant manager may be justified
• sharing medical details widely across the business likely won’t be

This is where businesses often get caught out - not because they shared data, but because they shared too much, with too many people, and without a clear reason.

If you want a deeper look at common pitfalls, this often overlaps with employer duties when sharing employee personal information.

4) Sharing Information To Handle Complaints Or Disputes (Legitimate Interests)

If a customer complains, you may need to share order history, messages, or account details with:

• your customer support team
• a payment provider (eg in a chargeback dispute)
• your lawyer (if the matter escalates)

This is commonly handled under legitimate interests - you have a legitimate need to protect your business and respond properly.

That said, you should still share the minimum needed, keep records, and avoid sharing irrelevant information.

5) Sharing Data Because The Law Requires It (Legal Obligation)

Sometimes you must share personal information, even if the individual doesn’t want you to. Examples include:

• HMRC requests made under relevant legal powers in connection with tax compliance
• court orders requiring disclosure
• certain lawful requests from regulators

In these cases, the lawful basis is typically legal obligation - but you should still verify the request and keep a clear paper trail.

When Sharing Personal Information Without Consent Is High Risk (And Often Unlawful)

There are also scenarios where sharing personal information without consent is far more likely to breach UK GDPR - especially where the sharing isn’t necessary or the person wouldn’t reasonably expect it.

1) Marketing “Introductions” And Passing On Contact Lists

If you’re thinking: “We’ll just share our client list with a partner business and they’ll do the same for us,” pause.

This is one of the most common high-risk areas for small businesses. Even if you believe it’s good for customers, it can be unlawful if:

• you don’t have a clear lawful basis under UK GDPR
• customers weren’t told their data would be shared
• it breaches marketing rules (including PECR, where those rules apply)

If your business does any direct marketing, it’s worth getting your privacy wording, opt-ins and internal process checked, ideally as part of a GDPR package approach, rather than patching it together as issues come up.

2) Publishing Customer Stories, Reviews, Or Photos Without A Clear Basis

Testimonials and before-and-after images are great marketing - but you need to be careful about whether the person can be identified.

Even if a customer informally “said it was fine”, that doesn’t always meet the standard of valid consent (and if they later withdraw permission, you need a plan).

3) Employee Monitoring Without Proper Controls

Monitoring tools can involve sharing personal data with third-party software providers (and also “sharing” internally with managers). That can be lawful, but only if you do it transparently and proportionately.

This often comes up with workplace monitoring and CCTV. If you’re considering surveillance, make sure you understand what’s acceptable and how to implement it properly, including whether cameras in the workplace are being used lawfully.

4) Sharing Special Category Data Without Extra Safeguards

If you’re sharing anything health-related (eg sick leave information, medical notes, adjustments), you may be dealing with special category data.

In that case, you usually need:

• a lawful basis (like legitimate interests or legal obligation), and
• an additional condition for processing special category data (and, in some cases, a further requirement such as an appropriate policy document)

This is a technical area, and it’s worth getting advice early rather than trying to fix it after the fact.

Practical Steps To Share Data Lawfully (And Protect Your Business)

Even when you have a lawful basis, your obligations don’t stop there. UK GDPR is as much about how you share as it is about whether you share.

1) Document Your Lawful Basis Before You Share

Get into the habit of asking:

• What exactly are we sharing?
• Who are we sharing it with?
• Why is it necessary?
• What lawful basis are we relying on?
• Would the person reasonably expect this?

This is especially important if you’re relying on legitimate interests (because you should be able to justify your balancing decision).

2) Be Transparent From Day One

People generally feel blindsided when they discover their information has been shared without them knowing - and that’s when complaints happen.

Your privacy documentation should clearly explain:

• what data you collect
• why you collect it
• who you share it with (including categories of recipients)
• how long you keep it
• how people can exercise their rights

For most businesses, this sits in your Privacy Policy, plus any just-in-time notices (like checkout wording or onboarding notices).

3) Use Data Processing Agreements With Suppliers

If a third party processes personal data for you (eg your CRM provider, payroll software, marketing platform), you’ll usually need a written agreement that sets out:

• what they can do with the data
• security requirements
• sub-processor controls
• breach reporting obligations

These contracts are a major part of your GDPR compliance and reduce your risk if something goes wrong.

4) Have A Clear Plan For Data Breaches

Sometimes “sharing” happens accidentally - for example, emailing the wrong attachment, CC’ing the wrong recipient, or a supplier experiencing a security incident.

That’s why small businesses should have a process for spotting, investigating, containing and (if needed) reporting breaches. A Data Breach Response Plan can make a big difference when you’re under time pressure and trying to make the right call.

5) Prepare For Data Access Requests And “Who Did You Share My Data With?” Questions

Individuals have rights under UK GDPR, including the right to request access to their data (a “subject access request”). In practice, this often includes questions like:

• What information do you hold about me?
• Where did you get it from?
• Who have you shared it with?

If you can’t answer those questions confidently, that’s a sign your record-keeping and data mapping needs work. Many businesses set up a workflow using an Access Request Form so requests don’t get missed or mishandled.

6) Be Careful With Audio/Video Recording

Recordings can quickly become personal data - and if you share them (even internally), you need to justify it.

If your business records meetings, calls, or uses audio-enabled CCTV, it’s worth checking whether recording conversations is being done lawfully and transparently, and how long you keep recordings for.

Key Takeaways

• Sharing personal information without consent in the UK isn’t automatically unlawful - but you must have a lawful basis under UK GDPR, and consent is only one option.
• Most small businesses rely on contract, legal obligation, or legitimate interests to share personal data (eg to deliver services, pay staff, respond to disputes, or comply with law).
• High-risk sharing often includes marketing introductions, publishing identifiable customer content, and disclosing more employee data than necessary - especially where people wouldn’t reasonably expect it.
• Transparency is essential: make sure your privacy notices clearly explain what you share, why you share it, and who you share it with.
• Supplier contracts and internal policies matter - strong documentation and sensible access controls reduce your risk and make compliance manageable.
• Have a plan for mistakes: accidental disclosure can still be a personal data breach, so it’s worth having a clear response process in place.

If you’d like help getting your data sharing processes compliant (or you’re dealing with a complaint or possible breach right now), you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.