Does a GP practice have to obtain specific consent before sending new marketing materials or communications about services to patients?

Not necessarily.

You are not required to automatically ‘repaper’ or refresh all existing DPA consents in preparation for the GDPR. But it’s important to check your processes and records in detail to be sure existing consents meet the GDPR standard.

You will need to be confident your consent requests already meet the GDPR standard and that consents are properly documented. You will also need to put in place compliant mechanisms for individuals to withdraw their consent easily.

If existing DPA consents don’t meet the GDPR’s high standards or are poorly documented, you will need to seek fresh GDPR-compliant consent, identify a different lawful basis for your processing (and ensure continued processing is fair), or stop the processing.

N.B.  If you have already identified the ‘Public Task’ as a lawful basis for your processing of data, and you can demonstrate that the processing is necessary for you to perform a task in the public interest or for your official functions, you do not need to obtain specific consent.

You can also rely on legitimate interests for marketing activities if you can show how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object.