Consent is only one possible justification for processing, you do not need it for everything. It's more a shift to "processing PII is forbidden unless for one of the following reasons", consent being one of them, and requiring assigning purposes to collected data. You can't just have webserver logs piling up somewhere without reason, but you probably can have a policy like "We keep IP addresses for 48 hours for security purposes", if you have an appropriate security process needing that data.
