Contrary to popular belief, ‘consent’ is not necessarily the ‘best’ lawful basis. It can be problematic. Many GDPR fines, including Google’s €50m fine from the CNIL, the French supervisory authority, result from invalid consent.
Controllers are responsible for identifying the most appropriate lawful basis for their use of personal information. For businesses that choice is very often between consent and legitimate interests. The GDPR exists to give people control over their own personal information. The consent basis is the epitome of this as it allows individuals ongoing control of their personal information.
When to use consent as your lawful basis
The consent basis is most appropriate when an organisation wants to use personal information in a way that people would not expect or is potentially intrusive (eg. where you would like to share a person’s contact details with a third party). Consent should only be used where you are able to offer individuals a genuine choice and control over how their personal information is used. You must also have systems in place so you can stop processing as soon as possible if consent is withdrawn. Remember, the consent basis hands the individual genuine control over how their personal information is used. It is in no way a tick-box exercise to fulfil and then forget about. You must also keep a record of all your consents. This allows you to monitor and refresh consents (if necessary) and demonstrate that the individual has consented to the processing.
When not to use consent
It is very difficult to rely on consent as a lawful basis in an employment context. This is because the imbalance in the relationship between the employer and employee creates a presumption that the consent was not freely given which invalidates the consent. The same applies to any situation where an organisation is in a position of power over the individual eg. a school/pupil relationship. The individual must not fear any adverse consequences of refusing consent.