Re: No consent for data sharing in the first place
I don't know how the UK DPA has implemented GDPR, but in Germany you need to sign a form saying you have been informed of how the company will be handling your data and that you give them the right to pass on that data to named third parties.
Case in point, my doctor was on holiday yesterday, so I went to his locum. There I had to sign a data protection sheet, that stated that they would store my data and hand it on to my health insurance NPO and my normal doctor. Without that, they couldn't store my data (and therefore I wouldn't be able to have a consultation).
We are starting to use Teams at work. Part of the process is that all employees have to sign a waiver that they have been informed that their name will be stored in our Microsoft cloud as username and firstname, forename, but not other information will be used, and that that information will be visible to other Teams users, including external Teams users who they communicate with.
Without the waiver, they cannot have access to Teams. Several employees won't sign, so they can't use Teams.