Here is the guidance from the ICO
The idea is that any system that is being worked on requires data protection by design and default.
Asking permission from the user to use their personal information. If they need to opt in this needs to be explicit rather than assumed. (There are some circustances where permission is not required, but you need to make the owner of the data aware).
You should also record the version of the privacy notice that they accepted. If the terms change to include additional usage then permission needs to be requested again before the data is used. Permission may also be withdrawn.
The use, storage and processes must be clear. Breaches of these need to be reported to the authorities and affected users.
Fully doing this is not simple. There are benefits. This will typically require personal data to be held in a single place which can simplify processes (less duplication and inconsistency). The need to understand your internal processes will also help. It forces good communication practices.