Do not confuse consents with other legal basis for data processing
Consents have high requirements and can be withdrawn at any time
Consents are useful if you want to give more control to data subjects, or if there is no more relevant and stable legal basis
Often, I have seen employees trying to obtain consents where not required, or data subjects trying to withdraw consents never given. That is because many people do not understand legal basis for data processing. These have been listed in GDPR articles 6 and 9, the latter being relevant for special categories of personal data, such as on health, race, philosophical, religious and political views, trade union membership, genetics, biometrics, or sexual life. Legal basis other than consent include for instance performance of a contract, legal obligations, public interest, or legitimate interests of the controller or third party, like exercising rights, ensuring security or pursuing claims.
For instance, collecting GDPR consents for posting photos from events is risky, since anyone that withdraws it can make you obliged to take down a part of your event gallery. Rather, I look for relevant provisions in intellectual property or mass events law, which often give your entitlement to use photos from events without asking each person in the crowd.
Consent is just one of possible legal basis for all data categories except on criminal convictions and offences, which has to be authorized by law. Consent must be freely given, specific, informed, unambiguous and explicit. To be freely given, it should not be applied in imbalanced relationships, which are often the case where the controller is a public authority or an employer. Neither can you make performing contract or providing services conditional on consent to processing of personal data that is not necessary for the performance of that contract. I suggest collecting consents where there is no stronger legal basis, or when you want to make sure data subject subscribed to such processing (for instance newsletter, optional services, promotional materials).
Table of contents:
Self-implement GDPR in 16 steps: