Two common mistakes when relying on consent under the GDPR

View as Markdown
2 mins read • Legal Writer • GDPR • 25 June 2025
  1. 1. Consent is used where it is not freely given
  2. 2. Consent cannot be evidenced or withdrawn

Consent is one of six lawful bases for processing personal data under the General Data Protection Regulation (GDPR). However, GDPR consent may only be used where it is genuinely freely given, informed and can be withdrawn; otherwise, the processing is unlawful. Despite this, consent under GDPR is often used by default without regard to the strict conditions that apply. Below are two frequent pitfalls to avoid.

1. Consent is used where it is not freely given

Where there is a dependency or imbalance of power, for example between an employer and an employee, the voluntariness of consent is doubtful. In such cases, another lawful basis for processing personal data under the GDPR should be considered, such as contract or legitimate interests. Always ask whether the data subject truly has a free choice, or whether the situation means they effectively have only one option. This is essential to ensure informed consent under the GDPR and to preserve the lawfulness of processing.

2. Consent cannot be evidenced or withdrawn

Many organisations lack documentation proving that consent was validly obtained. The GDPR requires that consent is traceable and that withdrawal of consent is as easy as giving it. A tick-box alone is insufficient: the organisation must be able to demonstrate when, how and for which purpose consent was captured. In practice, maintaining a GDPR consent log is prudent, covering the consent record, the notice shown, and the purpose. Clear procedures are also needed to manage the full life cycle of consents, including the data subject’s right to withdraw consent and the operational steps to effect swift withdrawal.

At Morling Consulting, our GDPR lawyers help organisations assess when consent is the right lawful basis and ensure it meets the Regulation’s requirements. We review not only forms and copy, but entire consent processes—from collection through to potential revocation—so that GDPR consent is evidenced, auditable and aligned with compliance by design.

Related considerations often include employee consent under the GDPR (where reliance is usually inappropriate due to imbalance), documenting informed consent under the GDPR, and aligning records of processing with your consent framework to support the overall lawfulness of processing.

If you need support establishing a robust GDPR consent log, evidencing consent, or operationalising the right to withdraw consent, our team can assist with design, implementation and governance.

Material Design illustration showing three legal professionals in front of an AI chip, playground and surveillance symbols, representing IMY’s focus areas public AI, children’s privacy and law enforcement.

5 February 2026

IMY’s priorities for 2026 – what do they mean for your organisation?
Read more
Illustration of a startup GDPR compliance briefing, with team members reviewing a security checklist and data protection policy on a screen.

4 February 2026

GDPR in your start-up – how to build assurance and compliance
Read more
Anonymous lawyer in a suit presses a digital whistleblowing button inside a protective sphere, symbolising secure whistleblowing systems, employee privacy and internal controls under the AMLR.

3 February 2026

AMLR Articles 13–15: employee integrity, whistleblowing and internal control
Read more