A frequent question about legacy systems is about consent.
Article 29 WP has published a Guideline on Consent under the GDPR
The Guidance indicates that consent which has been obtained prior to the GDPR will continue to be valid under the GDPR, provided it meets the conditions for consent required by the GDPR.
The Working Party notes, in this regard, that existing consents must meet all GDPR requirements if they are to be valid, including the requirement that the data controller is able to demonstrate that consent was validly obtained.
Thus, the Working Party is of the view that any consents which are presumed to be valid, but of which no record is kept, will not be valid under the GDPR.
Similarly, existing consents that do not meet the “clear affirmative action” requirement under the GDPR, for example, because they were obtained by means of a pre-checked box, also will not be valid under the GDPR.
For processing operations in relation to which existing consent will no longer be valid, the Working Party recommends that data controllers (1) seek to obtain new consent in a way that complies with the GDPR, or (2) rely on a different legal basis for carrying out the processing in question. If a data controller is unable to do either of those things then the processing activities concerned should cease.