I have just been asked by my bank to let them know what my possible turnover is next year, which is fine. The have also asked me to let them know how many customers pay me cash regularly, as they are seeing me paying cash in. They are now asking if I can give them the names of those customers. I think this is a potential GDPR violation, or am I missing something? I thought I had to get the permission of people whose information I hold to pass it onto a third party. Are the bank a 'responsible' organisation with regard to GDPR and therefore exempt?