Organisations will need to review the way in which they have acquired consent. If existing consent has been established illegitimately and lacks the GDPR standard then organisations will need to refresh consent.
For example, sending an email to active data subjects explaining if they still wish to receive emails from the organisation they will need to give their consent again, such email setting out specifically the purposes for which personal data will be used.
Organisations would wish to avoid the tactics employed by both Honda and Flybe, who used historical data to distribute service messages to active and inactive users asking them to opt in. They were fined £83k in total by the ICO and serve as a useful reminder that organisations can still fall foul of data protection laws even where, such as here, an attempt to act in accordance with data protection law ultimately resulted in them breaking them.