The GDPR in action

There has been a flurry of activity as organizations around the globe scramble to become GDPR-compliant. It’s been almost two months since the European Union implemented the General Data Protection Regulation that attempts to hand control of personal data back to citizens of the EU. Many companies are keeping the threat of high fines in mind as they work to achieve compliance. Others are waiting to see how major players such as Facebook and Google manage the GDPR before putting in too much effort. Still others are cancelling service to EU customers due to the perceived high costs of implementing the necessary changes, notwithstanding that other jurisdictions are likely to enact similar legislation.

How has your organization been handling the new regulation? Let’s take a look at some of the questions that have arisen since implementation, and what, if anything, you should be doing to ensure compliance.

Interpreting the meaning of consent

At the moment, obtaining consent is the most pressing GDPR issue, requiring immediate action from many organizations with customers in the EU. The Regulation requires entities to obtain informed consent by explicit affirmative action before they gather or use personal data. The entity collecting the data must inform the individual of how their data will be used and only gather as much data as is needed for the stated purpose.

In the weeks leading up to GDPR implementation, organizations interpreted this standard differently and used a variety of methods to comply, ranging from emails to opt in banners.

Are renewed consent forms necessary?

We’ve all seen numerous versions of the same email requiring consent to remain on a mailing list. The truth is, many of these emails are unnecessary. If prior consent was given upon sign up, as it likely was in accordance with the 1998 Data Protection Act, and the data is still used for the same purposes, there's a good chance that this original consent is GDPR-compliant. There’s no need to go back and request another one as long as there’s a record of the original consent.

What does ‘consent by explicit affirmative action’ mean?

Consent by affirmative action must be given when a new customer signs up for a service or if personal data is used in a way not originally agreed to. In either case, “affirmative action” means an explicit “opt in” must be given. Merely responding “OK” to a banner or an email doesn’t comply with the Regulation. Other shortcuts, including consent messages with no option to decline and default opt-in boxes that are pre-marked, are also non-compliant.

Keep the big picture in mind

So far, most organizations have been focused on ensuring that they have proper user consent. However, the GDPR will govern many aspects of how business is conducted. You can read the regulation in its entirety here.

If you feel overwhelmed or confused, remember to keep the big picture in mind. The GDPR’s purpose is to give individuals control over their personal data. Data should be collected with consent, used for the purposes for which the consent was given, and be deleted upon request, and individuals should be informed in case of a security breach. These are the basic requirements of the GDPR.

Hushmail keeps it simple

Because Hushmail is an organization dedicated to individual privacy, we were in compliance with most of the GDPR requirements before they went into effect, and were already supplying new customers with a simple, easy-to-read Terms of Service and Privacy Policy that they actively agreed to.

Under the GDPR we have expanded our consent form to require customers to actively consent to specific uses of their data when they sign up for an account, and customers who decide to leave Hushmail are given the option to erase personal data from Hushmail databases. All of the changes made in accordance with the GDPR are clearly stated in our updated Privacy Policy.

As an organization that makes it our Mission to keep our customers’ data safe, we fully support new standards that give individuals greater control over their personal data. As with any major regulatory change, we can expect a period of adaptation, but once the dust settles, we’ll find ourselves with greater security, privacy, and consumer confidence. This is good for all of us.

Don't have an account?

Sign up for Hushmail Premium or Hushmail Business today.

Subscribe to our newsletter

Enter your email address in the box below to receive regular updates.