Second paragraph is false, first one is partially true.
There are many legitimate reasons for storing and processing data, and you should not ask for consent needlessly - among other reasons, because consent can be withdrawn, at any time, and you are obliged comply stop processing and remove data - unless you have other legitimate reasons, in which case the whole exercise seems pointless.
Whether the data can be used to harm real people has significant correlation with whether it is covered by GDPR, but does not relate to consent. It can also be of relevance on what security precautions are required and when weighing right to privacy vs. needs to process specific data.
As a typical example, you do not need (and shouldn't ask for) consent for data and purposes that are reasonably necessary for the services customers ask for. You are not allowed to share / use for unrelated purposes other than allowed by other stipulations. Also, information on data collection / processing should be reasonably, easily accessible.
There are many legitimate reasons for storing and processing data, and you should not ask for consent needlessly - among other reasons, because consent can be withdrawn, at any time, and you are obliged comply stop processing and remove data - unless you have other legitimate reasons, in which case the whole exercise seems pointless.
Whether the data can be used to harm real people has significant correlation with whether it is covered by GDPR, but does not relate to consent. It can also be of relevance on what security precautions are required and when weighing right to privacy vs. needs to process specific data.
As a typical example, you do not need (and shouldn't ask for) consent for data and purposes that are reasonably necessary for the services customers ask for. You are not allowed to share / use for unrelated purposes other than allowed by other stipulations. Also, information on data collection / processing should be reasonably, easily accessible.