Under GDPR there are six lawful grounds on which to process data. One of these is consent/opt-in that gives sufficient consent to use your customer data for marketing. The ICO, however, sets a high standard for consent under the DPA clause: consent “must be freely given, specific, informed” but it also goes further to include being unambiguous with a clear affirmative action (no pre-ticked boxes), keeping a record of consent and avoiding making consent a condition of a contract. The ability to withdraw consent must be easy and not incur a penalty, and regular consent reviews should be implemented.