[richardk3000]

For new users, explaining this in the privacy policy and getting their consent is enough. It is wise to store the consent, for a user might complain that he/she never gave their OK, and then it's up to you to prove that they did.

If you already have a user base, you should inform them that you are changing your processing of their data, again they must consent. (you will probably have received those kind of mails or popups on websites during the last year yourself)

Important question: are you offering the service to individuals interacting directly with your service, or are you processing this data on behalf of a business client (the "controller")?