The set of rules are clear on what you can do. So, if what you do is not allowed, it is forbidden. You must, as lawyers say, have the authority to process the information. One of the legal bases is consent and therefore you must get consent from your customers before treating their information.
The consent must be voluntary, specific, informed and unambiguous. It is you who have the burden of proof.
The registrant must fully understand what he or she has given consent to.
To test the unambiguity of the consent, let a third party read the consent. Ask the reader what he or she is giving consent to. If the reader cannot explain exactly how his or her personal data is used, the consent is not clear enough and you need to rewrite it.