Get consent as required by law
The following are particularly noteworthy among the novelties introduced: data handling must be unambiguous. GDPR says “Silence, pre-ticked boxes or inactivity should not constitute consent”.
In addition, the nature of the consent required to satisfy the condition for processing sensitive personal data must be “explicit”. Explicit consent can be thought of in much the same way as the GDPR’s standard requirements for obtaining consent. The difference is that it must be obtained in a way that leaves no room for misinterpretation.
Consent must also be verifiable ,in other words, the business must be able to prove that it obtained the individual’s consent.