Published on July 19, 2018
There has been a flurry of activity as organizations around the globe scramble to become GDPR-compliant. It’s been almost two months since the European Union implemented the General Data Protection Regulation that attempts to hand control of personal data back to citizens of the EU. Many companies are keeping the threat of high fines in mind as they work to achieve compliance. Others are waiting to see how major players such as Facebook and Google manage the GDPR before putting in too much effort. Still others are cancelling service to EU customers due to the perceived high costs of implementing the necessary changes, notwithstanding that other jurisdictions are likely to enact similar legislation.
At the moment, obtaining consent is the most pressing GDPR issue, requiring immediate action from many organizations with customers in the EU. The Regulation requires entities to obtain informed consent by explicit affirmative action before they gather or use personal data. The entity collecting the data must inform the individual of how their data will be used and only gather as much data as is needed for the stated purpose.
In the weeks leading up to GDPR implementation, organizations interpreted this standard differently and used a variety of methods to comply, ranging from emails to opt in banners.
We’ve all seen numerous versions of the same email requiring consent to remain on a mailing list. The truth is, many of these emails are unnecessary. If prior consent was given upon sign up, as it likely was in accordance with the 1998 Data Protection Act, and the data is still used for the same purposes, there's a good chance that this original consent is GDPR-compliant. There’s no need to go back and request another one as long as there’s a record of the original consent.
Consent by affirmative action must be given when a new customer signs up for a service or if personal data is used in a way not originally agreed to. In either case, “affirmative action” means an explicit “opt in” must be given. Merely responding “OK” to a banner or an email doesn’t comply with the Regulation. Other shortcuts, including consent messages with no option to decline and default opt-in boxes that are pre-marked, are also non-compliant.
So far, most organizations have been focused on ensuring that they have proper user consent. However, the GDPR will govern many aspects of how business is conducted. You can read the regulation in its entirety here.
If you feel overwhelmed or confused, remember to keep the big picture in mind. The GDPR’s purpose is to give individuals control over their personal data. Data should be collected with consent, used for the purposes for which the consent was given, and be deleted upon request, and individuals should be informed in case of a security breach. These are the basic requirements of the GDPR.
As an organization that makes it our Mission to keep our customers’ data safe, we fully support new standards that give individuals greater control over their personal data. As with any major regulatory change, we can expect a period of adaptation, but once the dust settles, we’ll find ourselves with greater security, privacy, and consumer confidence. This is good for all of us.