The GDPR in action

Interpreting the meaning of consent

At the moment, obtaining consent is the most pressing GDPR issue, requiring immediate action from many organizations with customers in the EU. The Regulation requires entities to obtain informed consent by explicit affirmative action before they gather or use personal data. The entity collecting the data must inform the individual of how their data will be used and only gather as much data as is needed for the stated purpose.

In the weeks leading up to GDPR implementation, organizations interpreted this standard differently and used a variety of methods to comply, ranging from emails to opt in banners.

Are renewed consent forms necessary?

We’ve all seen numerous versions of the same email requiring consent to remain on a mailing list. The truth is, many of these emails are unnecessary. If prior consent was given upon sign up, as it likely was in accordance with the 1998 Data Protection Act, and the data is still used for the same purposes, there's a good chance that this original consent is GDPR-compliant. There’s no need to go back and request another one as long as there’s a record of the original consent.

What does ‘consent by explicit affirmative action’ mean?

Consent by affirmative action must be given when a new customer signs up for a service or if personal data is used in a way not originally agreed to. In either case, “affirmative action” means an explicit “opt in” must be given. Merely responding “OK” to a banner or an email doesn’t comply with the Regulation. Other shortcuts, including consent messages with no option to decline and default opt-in boxes that are pre-marked, are also non-compliant.

Keep the big picture in mind

So far, most organizations have been focused on ensuring that they have proper user consent. However, the GDPR will govern many aspects of how business is conducted. You can read the regulation in its entirety here.

If you feel overwhelmed or confused, remember to keep the big picture in mind. The GDPR’s purpose is to give individuals control over their personal data. Data should be collected with consent, used for the purposes for which the consent was given, and be deleted upon request, and individuals should be informed in case of a security breach. These are the basic requirements of the GDPR.

Hushmail keeps it simple

Because Hushmail is an organization dedicated to individual privacy, we were in compliance with most of the GDPR requirements before they went into effect, and were already supplying new customers with a simple, easy-to-read Terms of Service and Privacy Policy that they actively agreed to.

Under the GDPR we have expanded our consent form to require customers to actively consent to specific uses of their data when they sign up for an account, and customers who decide to leave Hushmail are given the option to erase personal data from Hushmail databases. All of the changes made in accordance with the GDPR are clearly stated in our updated Privacy Policy.

As an organization that makes it our Mission to keep our customers’ data safe, we fully support new standards that give individuals greater control over their personal data. As with any major regulatory change, we can expect a period of adaptation, but once the dust settles, we’ll find ourselves with greater security, privacy, and consumer confidence. This is good for all of us.

Don't have an account?

Sign up for Hushmail Premium or Hushmail Business today.