GDPR, FastMail and you

Company

Following on from December’s blog post our executive team has been hard at work for the past few months making preparations for the upcoming GDPR. Current customers, no matter where you are located, should expect to receive notices soon about changes.

GDPR has been a great opportunity for us to confirm everything we believe about our products. Your data is yours, and we should be able to clearly articulate how we touch it.

What is GDPR?

General Data Protection Regulation (GDPR) is a new set of rules from the European Union (EU) and sets a standard for how companies use and protect people’s personal data. It comes into effect on May 25, 2018.

While aimed specifically at EU citizens, we feel it aligns closely with our own privacy values (you are our customer, not the product) and we will be providing the same transparency and protection for all our customers, regardless of where they live or their country of citizenship.

It covers:

  • Clarifying what is personal data.
  • Ensuring customers can always take their data with them: no more vendor lock-in. This is something we have always provided, and we continue to work on open standards to make sure we can advocate for transparency for our customers.
  • Customers have the right to be forgotten: they can request to have all their personal data removed from a service.
  • Making sure that customers are suitably informed in clear language, and have actively consented, to how their data is used and accessed in the course of providing service.
  • That notification of your data being accessed illegally (a data breach) is timely and appropriate.

What does “personal data” mean?

Anything that can help identify an individual is personal data.

Some examples: your email address, your IP address, your physical address, appointments you might have coming up, where you work, who your family members are.

There are some obvious personal information that we collect for users of any of our products (FastMail, Topicbox, Pobox, Listbox): your email address, billing information, and IP address. But any email content is also considered personal information because it can contain anything. We can’t know what you might have put in your email, so we must treat it as personal data.

What this regulation means for you

FastMail is serious about protecting your privacy. It is one of our core values. We believe that security is more than a checkbox.

We will be updating our policies before GDPR comes into effect, and we continue our commitment to plain language and a clear outline of what you can expect from us and any data processing vendors we use.

You control your data, when it comes to email, contacts and calendars. We provide processing of that data in order to supply you with an email service. Our job is to execute your wishes faithfully, efficiently, and with low friction so you can get on with your day.

We process your data to ensure we can deliver your mail, to keep your mailbox free from spam and to make it easy to search.

Our support team do not have access to your email content beyond what’s minimally necessary to supply you with service, unless you explicitly provide consent for the purposes of resolving a support issue.

We periodically profile data in aggregate to test and validate the design of software to ensure we can handle size, scale, and throughput of our customer base.

There are only two ways we use your information for anything other than directly providing the email service you pay us for:

  1. If you opt-in to our newsletters, you occasionally will receive information about changes to our service, company news, or surveys to help us find out how we can help our customers.
  2. Information in aggregate for marketing purposes to better understand the people interested in our service and how we can better meet their needs.

How is FastMail preparing for GDPR?

Because of our longstanding commitment to your privacy, this is a problem we’ve given a lot of thought. We are continuing to review our processes and data to make sure that the only staff who have access to your information are the ones who need it in order to provide you with the service you pay us for.

We are ensuring that in meeting our obligations, we don't get in your way: our service will remain fast, and easy to use. We believe that your privacy is a right, not a chore.

You have the “right to be forgotten” under the GDPR. This means you can request that we delete all your personal data off our platform, without exposing a potential security risk for a malicious attack. You can request your account be removed off our platform and the data will be cleared after a waiting period (just in case a hacker was the one who closed your account).

Our work through open standards means your data has always been portable and you can download it at any time.

We are working with our vendors who help us provide our service to ensure that they, too, are upholding the GDPR and updating our contracts as necessary.

We are preparing Data Protection Agreements (DPAs) for customers to sign, where needed.

We are appointing a Privacy Officer (and you can contact them at privacy@fastmail.com). Their role is to manage FastMail’s compliance with the GDPR regulation, with the help of an externally appointed Data Protection Officer.

Stay tuned

Customers can expect a policy update soon. More information will be published on our blog and help pages as we complete the steps necessary to guarantee compliance.

If you have any questions or concerns not addressed here, please contact privacy@fastmail.com.