Whether it's your employees, customers or suppliers, you can only use personal information for the reasons (processes) you have declared in your privacy information.
This means to carry out a new processing activiting you must get consent from the individual, unless:
- the process is compatible with your original purpose.
- you have a clear obligation or function set out in the law.
When reviewing and implementing any new changes to your processing activities you must first check that what your intending to do does not fall outside the scope of the services you offer.
If the processing activity does fall outside of the scope of the services you are offering, you would need to get consent from the individual, unless that purpose is a clear obligation or function set out in the law.
If your processing is likely to result in a high risk to the rights and freedoms of individuals it may also be necessary to first undertake a Data Privacy Impact Assessment (DPIA), to asses any new risks to individuals privacy.
If you wanted to start to market new products and offers to your customers, this would fall outside the direct scope of your original purpose of delivering goods and / or services. This would mean you would need to gain consent (explicit permission) from the individual to use their personal data for the purpose of marketing (or keep up to date with our latest offers and services).
If you are required to undertake new processing activities under a clear legal obligation set out in the law, for example, you may need to hold financial records for years for HRMC. As this is a legal requirment you do not need consent to add it as an additional purpose for processing in your privacy information.
What the regulator says
"Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes.”
- GDPR: Principles relating to the processing of personal data - Article 5 (1b)
- GDPR: Principles relating to the processing of personal data - Article 6
- GDPR: Principles relating to the processing of personal data - Article 30
- GDPR: Principles relating to the processing of personal data - Article 50
- EDPB Guidelines on Data Protection Impact Assessment (DPIA)