Q. Are you getting consent/refreshed consent for your data subject for GDPR? Do I need consent for this process? – In short, you only need consent if your legal basis for processing is consent (there are 5 other basis for processing) and you only need to re-capture it if it wasn’t gathered in a GDPR compliant manner.
Full Answer: There are 6 lawful basis for processing and you can read more about them in article 6 of the GDPR or on the ICO’s website. Consent is only 1 of 6 and according to the ICO “you often won’t need consent”, so this should be your first question, do you really want to base this processing on consent or is there another lawful basis that is better suited? For example, if you need data to fulfil a contract your lawful basis is likely to be ‘contract’, if you need to process your personal data to comply with a common law then your lawful basis is likely to be ‘legal obligation’.
So, once you have decided that this process needs to be based on consent (you want to put the individual in charge and let them decide whether they want to give you the personal data or not ie. sign up for a newsletter) you need to find out if consent has already been captured for this process, if it has not, you will need to ask your data subject to give you their consent. If it has been gathered in a non-compliant manner you should assume that you do not have the consent of the data subject after May 2018 and progress much the same was as you would to gain their consent in the first place.
When you gain the consent of a data subject this consent must be explicit about what the consent is for, it must be informed, freely given and it must be a positive and active opt-in (ie. no confusing words, detriment to the subject or pre-ticked boxes). If your consent is not/was not gathered in such a manner then it will not be a valid lawful basis for processing after the 25th May 2018 (and arguably isn’t lawful now).
– Don’t forget to think about the privacy notice that needs to go alongside the consent to ensure it is informed, how you will actively maintain your consent database across your business and how you will respond to individual rights requests.