UK GDPR mythbuster

Use our mythbuster to separate the fact from the fiction around the UK GDPR when it comes to visitor books, photo archives, consent and more.

Last reviewed on 10 November 2022
School types: All · School phases: All
Ref: 34667

To download a quick guide to UK GDPR basics, check out our 1-page summary

Myth Fact You need to seek consent for all the personal data you process Not true. You probably won't need to seek consent that often. You need to have a ‘lawful basis’ (legal reason) for processing personal data, and consent is just 1 of 6 lawful bases you can use. Only use consent where none of the other bases apply, as the standard for getting consent is very high and individuals can say no or withdraw it at any time, which could cause you problems. Follow our process to decide if any of the other bases apply, before you consider seeking consent. The UK GDPR contains specific rules about how long you can retain records for Not true. The UK GDPR contains principles for good management of personal data, rather than specific rules on how you