The lawful basis on which you are processing the individual's data should be clear, if not, you need to identify it and document it.
Once you have clarity on the lawful basis under which you are processing the data, you need to update your privacy notice to let individuals know.
A lot of organisations don't think about the lawful basis under which they process data. They just do. Under GDPR, this is no longer accepted as some rights change with GDPR depending on the basis you used for processing their data,
For instance, if you solely base yourself in consent for processing data, the individual will have a much stronger case for deletion than if the lawful basis for processing data is a subscription to a paid service. This does not mean you can send marketing emails on the basis of a subscription to a paid service, just that you have a different lawful basis for processing the data.
You must also include a description of the lawful basis to process data when responding to a Subject Access Request.
This does not differ much from the lawful basis of processing individual data under the Data Protection Act, but you will have now a stronger requirement to document them and publish them accordingly in your privacy notice.
You should review the process activities you do and document all the lawful basis under which you process data. This will help you get closer to compliance with GDPR by fulfilling the accountability requirements.
GDPR comes into force on 25th May 2017
< 5. Subject Access Request 7. Consent >