Under GDPR, which lawful basis is often described as the 'gold standard' but is frequently misapplied by organizations?