Processing of personal data is lawful only if, and to the extent that, it is permitted under EU data protection law.
If the controller does not have a lawful basis for a given data processing activity (and no exemption or derogation applies) then that activity is prima facie unlawful.
What should organisations do to prepare?
Having a lawful basis for each processing activity is critical to an organisation's ability to comply with EU data protection law. Therefore, organisations should:
• review all of their data processing activities;
• ensure that they have a lawful basis for each processing activity (or an exemption or derogation applies);
• where consent is the basis for processing, review existing mechanisms for obtaining consent, to ensure that they meet the GDPR's standards; and
• where a legitimate interest is the basis for processing, maintain records of the organisation's assessment of that legitimate interest, to show that the organisation properly considered the rights of data subjects.
Click here - For full article including helpful analysis of the impact of GDPR.
Source: White & Case GDPR Handbook - Unlocking the EU General Data Protection Regulation