Despite what the non-stop wave of e-mails, text messages, and notices popping up everywhere would have you believe, GDPR is not about consent.
In fact as a rule of thumb what the legislation suggests is that consent should only be relied on to collect, store, or process personal data if you do not have any other legitimate reason to do so.
A quick look at the lawful bases provided for under GDPR, and the rights that each provides, show this quite well.
- Consent: the subject has given clear consent to process their data for a specific purpose
- Contract: processing is necessary to fulfil a contract with the subject, or to prepare a contract that they have requested
- Legal obligation: processing is necessary to comply with the law (exception being contractual obligations)
- Vital interests: processing is necessary to protect someone’s life (not necessarily the subject)
- Public task: processing is necessary to perform a task in the public interest, or for your official functions
- Legitimate interests: processing is necessary for legitimate interests of yourself or a third party (this does not apply to public authorities carrying out official tasks)
The only reason all of these consent notices are popping up everywhere is because none of the other bases apply. Mostly it’s about getting consent to profile you in order to better target advertising. So, when ticking those consent forms, or giving consent, it’s worth remembering that it isn’t down to GDPR that you’re now seeing them everywhere – it’s down to companies being desperate to use your personal information to more effectively persuade you to buy things or think a certain way, and not having any reason in your interest for doing so.